Bitdefender Labs has been monitoring the growing trend among cybercriminals who actively exploit social media networks for malvertising. The end goal of these attacks is to hijack accounts and steal personal data through malicious software.
Malvertising campaigns take advantage of the tools and methods used by legitimate entities to distribute regular online ads, with cybercriminals submitting infected links onto typical advertisement networks via some form of provocative enticement meant to sway users into clicking on an infected link.
NodeStealer is a relatively new info-stealer, discovered by Meta’s security team in January 2023, that allows threat actors to steal browser cookies and conduct account takeovers at scale.
The first NodeStealer campaign (documented by Meta) was attributed to threat actors in Vietnam, who custom-built the malicious tool (written in JavaScript and executed through Node.js) to target business users via fake communications through Facebook Messenger. The malware let attackers seize control of business accounts, without the need for any further interactions with the victim, and even bypassed security mechanisms such as two-factor authentication.
Although the stealer was primarily designed to hijack cookie sessions from web browsers including Google Chrome, Microsoft Edge, Brave and Opera, and take over Facebook accounts, threat actors have worked diligently to equip the malware with new capabilities during the year.
The malware is distributed via Windows executable files disguised as photo albums.
According to Bitdefender researchers, threat actors are no longer interested in only hijacking Facebook business accounts – they’ve expanded their attacks to target regular Facebook users by using distinctive methods.
To gain access to users’ accounts and systems, cybercriminals abuse ad credit balances of compromised business accounts to run and manage ads that deliver the malicious payload to their select target audience.
They create a Facebook page under the name “Album Update” (or similar) where they add revealing photos of young women.
After the page is set up, malicious actors begin running ads that promote fake new content and entice users with lewd album covers. Some of the photos advertised appear to have been edited or even AI-generated.
Attackers also use short descriptions to bait users into downloading the media archive, such as “New stuff is online today” and “Watch now before it’s deleted.”
The first line of defense against Nodestealer malware, delivered via phishing links, attachments or ads) is to always use a security solution on your device and keep it up to date. Anti-malware and anti-virus software keep you and your devices safe from new and existing threats by detecting malware and safely removing or stopping it from causing any damage.
Additionally, internet users should always stay vigilant and stick to good cyber hygiene in all online interactions. It’s always best to think twice before you click on unsolicited links associated with alarming notices or ads that prompt you to download provocative media files.
=====
