Cybersecurity researchers have found a new and highly advanced malware that has the capability to gain full control of Facebook business accounts.
The malware, dubbed "NodeStealer 2.0," represents a sophisticated variant, written in Python, that can now pilfer cryptocurrency and exploit Telegram to exfiltrate sensitive data as well. Unlike its predecessor, reported by Meta in May 2023, this new version has evolved to execute complex attacks with devastating consequences for its victims.
The modus operandi of the attackers involves employing a phishing campaign as the main infection vector. The operation, which dates back to December 2022, employed multiple Facebook pages and user accounts to post deceiving information. Victims were led to download seemingly harmless files, posing as office tools such as spreadsheet templates, from well-known cloud file storage providers. Upon opening the files, the NodeStealer 2.0 malware is unleashed, initiating a series of insidious activities.
The cybersecurity researchers from Palo Alto Networks' Unit 42 said the malware’s ability to stealthily take control of Facebook business accounts, undetectable to the victims sets this malware apart. Once infiltrated, the malware connects to the Meta Graph API using the victim's user ID and access token. This API serves as a primary gateway to Facebook's data, enabling attackers to extract valuable information about the target's account, including follower count, verification status, and prepaid account details. The stolen data is then relayed back to the command and control server (C2), allowing the threat actors to strategise their next moves.
Furthermore, NodeStealer 2.0 goes the extra mile to compromise the victims by attempting to steal login credentials from the most commonly used web browsers. In a sinister twist, Variant #2 of the malware replaces the legitimate user's email address with an address controlled by the attackers, effectively locking the rightful owner out of their own Facebook business account, with little hope of recovery.