Unit 42 researchers have recently uncovered a sophisticated phishing campaign aimed at taking control of Facebook business accounts using a newly identified infostealer variant. This campaign, believed to be orchestrated by threat actors of Vietnamese origin, is part of a concerning trend where attackers are increasingly targeting Facebook business accounts for various malicious purposes. While this specific campaign is no longer active, Unit 42 warns that similar techniques may be used in the future, posing significant risks to individuals and organizations.
The infostealer used in this campaign shares similarities with the NodeStealer variant that was previously taken down by Meta earlier this year. However, the new variant uncovered by Unit 42 includes additional features such as cryptostealing and downloader capabilities, along with the ability to completely take over Facebook business accounts.
The primary method of targeting victims with this infostealer, dubbed ‘NodeStealer 2.0’ by researchers, involved a phishing campaign that took place in December 2022. Victims were lured into downloading a malicious executable file disguised as advertising materials for businesses from known cloud file storage providers. The campaign utilized two variants of the malware, both written in Python, with Variant #1 focusing on stealing Facebook business account information, downloading additional malware, and cryptocurrency theft, while Variant #2 attempted to take over Facebook accounts, implement anti-analysis features, and steal emails.
This discovery is part of a growing trend of threat actors targeting Facebook accounts, with previous operations such as ‘Ducktail’ and fake ChatGPT Chrome extensions designed to steal Facebook session cookies. The Unit 42 blog post advises organizations with Facebook business accounts to review their security policies, use indicators of compromise provided in the report, and educate their staff on phishing tactics to mitigate similar threats in the future.
In conclusion, it is crucial for Facebook business account owners to strengthen their security measures by using strong passwords, enabling multifactor authentication, and staying informed about the latest cybersecurity threats. By taking proactive steps to protect their accounts, businesses can safeguard themselves against potential financial losses, reputational damage, and other malicious activities orchestrated by threat actors.