This new malware goes after Facebook Business accounts

A new strain of malware has been identified that targets corporate Facebook accounts and steals their cryptocurrency, experts have revealed.

A new report from Unit 42, the cybersecurity arm of Palo Alto Networks, has identified the malware as NodeStealer, a Python variant of the malware originally written in JavaScript.

To get people to install NodeStealer, hackers reached out via Facebook and offered fake “professional” budget tracking templates for Microsoft Excel and Google Sheets. Given that the attackers went after business accounts, it’s no wonder they tried to lure people in by offering business tools and help.

Inactive campaign

The “templates” were hosted on Google Drive and contained in a .ZIP archive. The archive contained the NodeStealer executable which was also capable of deploying additional malware such as BitRAT and XWorm, as well as disabling Microsoft Defender antivirus and stealing cryptocurrencies via the MetaMask browser add-on wallet.

The strain was used in a malicious campaign that began in December 2022, the researchers said, adding that it’s unlikely the plan is still ongoing.

NodeStealer was first noticed in May 2023 by Meta, when the company described it as a thief that grabs cookies and passwords in browsers. NodeStealer was able to compromise not only Facebook accounts, but also Gmail and Outlook.

“NodeStealer poses a significant risk to both individuals and organizations,” said Unit 42 researcher Lior Rochberger. “Besides the direct impact on corporate Facebook accounts, which is mainly financial in nature, the malware also steals browser credentials, which can be used for further attacks.”

Originally, the attackers used Facebook corporate accounts to run malicious ad campaigns on the platform and lure the social network’s users to third-party websites where they would incentivize them to download malware or otherwise share sensitive information.

Related Post