A new malware strain has been identified targeting Facebook business accounts and stealing their cryptocurrency, experts have revealed.
A new report from Unit 42, the cybersecurity arm of Palo Alto Networks has identified the malware as NodeStealer, a Python variant of the malware originally written in JavaScript.
To get people to install NodeStealer, hackers were reaching out via Facebook, offering fake “professional” budget tracking Microsoft Excel and Google Sheets templates. Given that the attackers were going after business accounts, it’s no wonder that they were trying to lure people in by offering business-related tools and assistance.
Idle campaign
The “templates” were hosted on Google Drive, residing in a .ZIP archive. The archive carried the NodeStealer executable which was also capable of deploying additional malware, such as BitRAT and XWorm, as well as disabling Microsoft Defender antivirus and stealing cryptocurrencies through the MetaMask browser addon wallet.
The strain was used in a malicious campaign that started in December 2022, the researchers said, adding that it’s unlikely that the scheme is still ongoing.
NodeStealer was first spotted in May 2023 by Meta, when the company described it as a stealer that grabs cookies and passwords stored in browsers. NodeStealer was capable of compromising not just Facebook accounts, but Gmail and Outlook, too.
“NodeStealer poses great risk for both individuals and organizations,” Unit 42 researcher Lior Rochberger said. “Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks.”
Originally, the attackers were using Facebook business accounts to run malicious advertising campaigns on the platform, and lure the social network’s users to third-party websites where they’d incentivize them to download malware or otherwise share sensitive information.