In a concerning development, a significant phishing campaign has emerged on Facebook Messenger, posing a grave threat to approximately 100,000 business accounts each week.
Malicious actors have strategically employed a vast network of fake and compromised Facebook profiles to disseminate millions of Messenger phishing messages, carrying password-stealing malware with devastating consequences.
These cybercriminals employ cunning tactics to lure unsuspecting victims into downloading a RAR/ZIP archive file. This seemingly innocuous file conceals a downloader designed for an elusive Python-based stealer. This malicious program stealthily seizes cookies and stored passwords from the victim’s web browser.
A recent report highlights that roughly one out of every seventy targeted accounts falls victim to this devious campaign, resulting in substantial financial losses for the affected businesses.
The attackers initiate their scheme by sending phishing messages via Messenger to Facebook business accounts, disguising their communications as copyright violation notices or inquiries about products.
The attached archive contains a batch file, which, if executed, fetches a malware dropper from GitHub repositories. This approach helps evade blocklists and minimizes traceable indicators.
The payload, named ‘project.py,’ not only fetches the necessary Python environment for the information-stealing malware but also ensures persistence by configuring the stealer binary to run at system startup.
To further confound antivirus software, ‘project.py’ employs five layers of obfuscation, making it challenging to detect the threat.
The malware’s primary function is to collect all cookies and login credentials stored within the victim’s web browser, packaging them into a ZIP archive named ‘Document.zip.’ Subsequently, the stolen information is transmitted to the attackers via Telegram or Discord bot API.
In a final malevolent act, the stealer wipes the victim’s device of all cookies, effectively logging them out of their accounts. This provides ample opportunity for the scammers to hijack the compromised account by changing its passwords.
Given the typical response time of social media companies to email reports of hijacked accounts, the threat actors have an extended window to carry out fraudulent activities.
Guardio Labs has reported that the scale of this campaign is staggering, with an estimated 7% of all Facebook business accounts falling within its crosshairs.
Furthermore, 0.4% of these targeted accounts have succumbed to the temptation of downloading the malicious archive. However, the precise number of hijacked accounts remains unknown but could be substantial.
Researchers have traced this campaign to Vietnamese hackers, primarily due to distinctive markers within the malware and the utilization of the “Coc Coc” web browser, known to be popular in Vietnam. Researcher has elucidated, “This Python stealer reveals the Vietnamese origin of these threat actors.”
They further deciphered the message “Thu Spam lần thứ,” sent to the Telegram bot, which translates from Vietnamese as “Collect Spam for the X time.”
Vietnamese threat groups have been implicated in multiple large-scale campaigns targeting Facebook this year. Their main monetization strategy involves reselling stolen accounts through platforms like Telegram or dark web markets.
In May 2023, Facebook disclosed the disruption of a Vietnam-originated campaign deploying a new info-stealer malware dubbed ‘NodeStealer,’ responsible for pilfering browser cookies.