Cybersecurity solutions company Palo Alto Networks’ researchers have unearthed a new phishing campaign aimed at Facebook business accounts. The malware, dubbed NodeStealer, is designed to steal information and was initially compiled in July 2022.

Palo Alto Networks Unit 42 revealed that the primary infection vector for the infostealer originated from a phishing campaign that deployed an updated version of NodeStealer in December 2022.

“Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks,” Vicky Ray, Director at Unit 42 Cyber Consulting & Threat Intelligence, Asia Pacific & Japan at Palo Alto Networks, said in a statement.

ePLDT taps Palo Alto Networks for cloud security
Palo Alto Networks: Cybercriminals spread malware via PDF files

In May 2023, Meta issued a report detailing the malicious activities associated with NodeStealer, all of which were detected in January 2023. The renewed campaign comprised two variants scripted in Python, featuring augmented functionalities such as cryptocurrency theft, download capabilities, and a complete takeover of Facebook business accounts.

The threat actors steal browser cookies to hijack Facebook accounts. They lure victims into downloading files from reputable cloud storage services. Once clicked, a ZIP file containing the info-stealing executable is downloaded onto the device.

Facebook’s Graph API

NodeStealer leverages the Graph API, a tool employed to import and export data from the Facebook platform, to steal information about the target. This includes metrics like follower count, user verification status, account credit balance, prepaid status, and ads insights. The Graph API, an HTTP-based interface, empowers applications to programmatically retrieve data, post stories, manage ads, upload images, and perform various other tasks.

Apart from scraping data from the Facebook business account, the malware also steals account credentials. It scours the cookies and local databases of various browsers including Chrome, Edge, Cốc Cốc, Brave, and Firefox for Facebook usernames and passwords.

“Facebook business account owners are encouraged to use strong, complex, hard-to-guess passwords and enable multifactor authentication,” Palo Alto Networks said. “Take the time to educate your organization on phishing tactics, especially modern, targeted approaches that address current events, business needs, and other appealing topics.”