Palo Alto finds new malware that poses threat to Facebook Business, Crypto accounts

Palo Alto Network Unit 42 found a new phishing campaign distributing a Python variant of NodeStealer. The malicious code aimed to seize control of Facebook business accounts and steal cryptocurrency funds.  

According to a blogpost published on August 1, experts have been monitoring this threat since December 2022, and they noticed attackers luring victims with phishing emails offering useful business tools like spreadsheet templates. 

NodeStealer is a recent information-stealing malware on Meta that enables attackers to steal browser cookies and hijack accounts on various platforms, including Facebook, Gmail, and Outlook. 

The first variant identified by Palo Alto Networks has several capabilities, including stealing Facebook business account information, downloading more malware, disabling Windows Defender through a graphical user interface, and stealing funds from the MetaMask cryptocurrency wallet using stolen credentials from Google Chrome, Edge, and Firefox web browsers. 

NodeStealer gathers various information about the target, like follower count, user verification status, account credit balance, prepaid account status, and ads information. 

The second variant, discovered by Unit 42, has additional features, such as parsing emails from Microsoft Outlook, exfiltrating data through Telegram, taking over Facebook accounts, and possessing anti-analysis capabilities. 

The malware was first discovered in January this year by Meta security team, targeting the browsers of Windows systems. It can affect various web browsers like Google Chrome, Microsoft Edge, Brave, and Opera. 

The variant revealed by Meta in May is a custom Javascript malware that includes the Node.js environment. This allows the malware to run on different operating systems, such as Windows, Linux, and macOS. The malware's origin is suspected to be Vietnamese, allegedly distributed by threat actors from Vietnam. 

In May, the social network company took action to disrupt the malware campaign and assist victims in recovering their accounts. 

NodeStealer poses a significant threat to both individuals and organisations, as it can steal credentials from browsers, which could be used for further attacks. 
The phishing messages contain a download link that directs users to a .zip archive hosted on a well-known cloud file storage provider, like Google Drive. Inside the .zip file is a malicious infostealer executable.

Anil Valluri, MD and VP, India and SAARC, Palo Alto Networks said, “Protecting against NodeStealer and all its variants requires organisations to review their protection policies and take note of the indicators of compromise (IoCs) provided by Unit 42. Proactive measures to educate employees on modern phishing tactics that leverage current events, business needs and other appealing topics are essential.”