NodeStealer Malware Exploits Compromised Facebook Business Accounts in Ad Campaigns

A recent cybersecurity report reveals a concerning trend where compromised Facebook business accounts are utilized to disseminate fraudulent ads. These ads, featuring “revealing photos of young women” as bait, aim to deceive victims into downloading an updated version of the NodeStealer malware.

Upon clicking on these deceptive ads, users inadvertently download an archive containing a malicious .exe file disguised as a ‘Photo Album.’ This executable, written in .NET, is responsible for deploying a second payload, tasked with stealing browser cookies and passwords.

NodeStealer, initially disclosed by Meta in May 2023 as a JavaScript malware designed for Facebook account takeover, has since evolved with threat actors adopting a Python-based variant in their attacks. The malware is linked to a growing cybercrime ecosystem in Vietnam, where multiple threat actors employ overlapping methods, predominantly utilizing Facebook advertising for propagation.

The recent findings highlight the continued use of malicious ads as an entry point to compromise Facebook accounts. Notably, Meta’s Ads Manager tool is exploited in these campaigns, specifically targeting male users aged 18 to 65 in Europe, Africa, and the Caribbean, with the most affected demographic being males aged 45 and above.

In addition to distributing malware through Windows executables disguised as photo albums, these attacks have expanded their scope to target regular Facebook users. The malicious executables are hosted on legitimate websites.

The primary objective of these attacks is to leverage stolen cookies to bypass security measures, such as two-factor authentication, and change passwords, effectively locking victims out of their own accounts.

This type of malicious activity allows cybercriminals to operate discreetly, evading Meta’s security defenses and potentially engaging in financial fraud or further scams.

This discovery aligns with the broader landscape of cyber threats, where attackers exploit various platforms for malicious purposes. Other recent instances include account takeover attacks on betting platforms and phishing scams targeting users of the Roblox gaming platform, emphasizing the need for heightened user awareness and security measures.

As cybersecurity threats continue to evolve, it is crucial for users to exercise caution, stay informed about potential risks, and implement robust security practices to safeguard their online accounts and personal information. Organizations also continue to diversify and target various platforms, users are urged to remain vigilant, exercise caution when interacting with ads or unfamiliar content, and implement robust security practices to safeguard their digital assets.