Unit 42 researchers recently uncovered a sophisticated phishing campaign aimed at taking control of Facebook business accounts using a newly identified infostealer variant. This campaign, believed to be orchestrated by a threat actor of Vietnamese origin, is part of a disturbing trend where attackers target Facebook business accounts for advertising fraud and other malicious activities.
Although the specific campaign has been deactivated, Unit 42 warns that the threat actors behind it are likely to continue using similar techniques to compromise Facebook business accounts in the future. This poses significant risks for both individuals and organizations, including financial losses, reputational damage, and the potential for further cyberattacks using stolen credentials.
The infostealer used in this campaign has been dubbed “NodeStealer 2.0” due to its similarities with the NodeStealer variant that was previously taken down by Meta in 2023. This new variant not only targets individuals through malicious browser extensions, ads, and social media platforms but also includes cryptostealing and downloader capabilities, as well as the ability to completely take over Facebook business accounts.
The primary method used to distribute the infostealer was through a phishing campaign in December 2022, where victims were lured into downloading a malicious executable file disguised as advertising materials for businesses. The campaign utilized two Python variants of the malware, named Variant #1 and Variant #2, each with distinct features and capabilities.
Variant #1 is characterized by its abnormal activity, such as pop-up windows, and is capable of stealing Facebook business account information, downloading additional malware, and stealing cryptocurrency through MetaMask credentials. On the other hand, Variant #2 operates more discreetly under the guise of ‘Microsoft Corporation,’ attempting to take over Facebook accounts, implementing anti-analysis measures, and stealing emails.
Unit 42’s analysis reveals a growing trend of threat actors targeting Facebook accounts, with previous operations like ‘Ducktail’ and the fake ChatGPT Chrome extension designed to steal Facebook session cookies. The firm suspects that the latest malware discovered is also linked to threat actors based in Vietnam.
Organizations with Facebook business accounts are advised to review their security policies and utilize the indicators of compromise (IoCs) provided by Unit 42 to mitigate similar threats. It is crucial for account owners to use strong passwords, enable multifactor authentication, and educate their teams on phishing tactics to protect against modern, targeted cyberattacks.
In conclusion, the threat landscape for Facebook business accounts continues to evolve, emphasizing the importance of proactive security measures and vigilance against sophisticated phishing campaigns.