September 29, 2023

Researchers have uncovered a beforehand unreported phishing marketing campaign that makes use of new variants of the NodeStealer malware.

Profitable assaults can lead to monetary losses in addition to popularity injury for a goal, in keeping with a report by Palo Alto Networks’ Unit 42.

NodeStealer is designed to take over Fb enterprise accounts and steal cryptocurrency from MetaMask cryptocurrency wallets. Fb’s dad or mum, Meta, famous the risk from NodeStealer in Might.

The Unit 42 researchers linked the most recent marketing campaign to an unidentified Vietnamese risk actor. The hackers focused a Vietnamese browser named Cốc Cốc and used a number of strings of Vietnamese code within the malware. Meta’s earlier report additionally famous a possible Vietnamese connection.

The assaults on Fb enterprise accounts are a rising development amongst cybercriminals who exploit them for promoting fraud and different functions, in keeping with Unit 42.

The malware’s first variant was written in JavaScript and allowed hackers to steal browser cookies to hijack Fb accounts. The 2 new NodeStealer variants found by Unit 42 have been written in Python.

To achieve entry to focus on programs, hackers used phishing hyperlinks, tricking victims into downloading information that contained the malicious infostealer, Unit 42 mentioned.

As soon as the malware is executed, it checks for any logged-in Fb enterprise accounts within the default browser and proceeds to hack them. It steals varied details about the goal, akin to their follower depend, person verification standing, account credit score steadiness and advert info.

The malware additionally tries to steal MetaMask crypto pockets credentials from the Chrome, Cốc Cốc and Courageous browsers. MetaMask, which isn’t related to Meta, relies on the Ethereum blockchain and is meant to work together with decentralized finance (DeFi) functions.

The second variant of NodeStealer may learn the sufferer’s emails, in all probability to disrupt any Fb alerts that may notify the sufferer of configuration modifications.

Whereas the marketing campaign utilizing the 2 new NodeStealer variants is not energetic, researchers say that the risk actors could proceed enhance the malware to focus on Fb enterprise accounts.

“It’s also doable that there could also be ongoing results for beforehand compromised organizations,” the researchers mentioned.

Get extra insights with the

Recorded Future

Intelligence Cloud.

Study extra.

Daryna Antoniuk

Daryna Antoniuk
is a contract reporter for Recorded Future Information primarily based in Ukraine. She writes about cybersecurity startups, cyberattacks in Japanese Europe and the state of the cyberwar between Ukraine and Russia. She beforehand was a tech reporter for Forbes Ukraine. Her work has additionally been revealed at Sifted, The Kyiv Impartial and The Kyiv Publish.