NodeStealer Malware Campaign Targets Facebook Users through Malicious Ads

NodeStealer Malware Campaign Targets Facebook Users

Social media platforms have long been appealing targets for cybercriminals looking to take advantage of naïve users.

Bitdefender Labs has released a report on the growing trend of malvertising attacks on social media networks. The major purpose of the attackers is to undermine user privacy and security by deploying malicious software.

Cybercriminals use sophisticated strategies to manipulate online ad networks, effectively penetrating the content delivery infrastructure in order to spread malware.

This concerning revelation emphasizes the crucial need of users remaining cautious and informed about the latest techniques that risk the security of their online accounts, data, reputation, and financial assets.

The Bitdefender Labs report focuses on how cybercriminals have evolved NodeStealer attacks to exploit Meta’s ad network on Facebook, endangering Facebook users’ privacy and security.

Key Findings from Bitdefender’s Analysis (October 10-20)

Findings Details
Researchers discovered multiple hijacked Facebook accounts used in the attacks At least 10 compromised business accounts that continue to serve malicious ads to the public
The ads serve a newer version of NodeStealer An updated variant of the malware
The threat actors created multiple Facebook profiles, all of which dangle access to new media files of the portrayed women Fake profiles featuring alluring images
Multiple iterations of the same ad were used in about 140 malicious ad campaigns Diverse campaigns to target victims
Attackers used a maximum of 5 active ads at a time and switched between them at 24-hour intervals to try to avoid ad reports from users Tactics employed to evade detection
The ads used revealing photos of young women to lure victims into deploying the payload Social engineering techniques
Clicking on ads immediately downloads an archive containing a malicious .exe “Photo Album” file which also drops a second executable written in .NET – this payload is in charge of stealing browser cookies and passwords Mechanism for payload delivery and data theft


NodeStealer Malware

NodeStealer is a new information stealer malware identified by Meta’s security team in January 2023. Initially intended to target corporate users over Facebook Messenger, the malware swiftly developed to circumvent security measures and hijack accounts. The malware’s principal role is to collect browser cookies and assist large-scale account takeovers.

Bitdefender researchers noticed an unusual twist in the NodeStealer Facebook operation. Instead of focusing primarily on business accounts, fraudsters are now using hijacked company accounts to execute and manage fraudulent ad campaigns directed at regular Facebook users.

How the Attack Works

Malicious actors exploit the ad credit balances of compromised business accounts to execute ad campaigns designed to deliver malicious payloads to their target audience.

They create Facebook pages with provocative content, including revealing photos of young women, to lure users into downloading media archives that contain NodeStealer malware.

Once a user clicks on one of these enticing ads, an archive is immediately downloaded. This archive contains a malicious .exe file disguised as a Photo Album. Additionally, a second executable file, written in .NET, is deployed to steal browser cookies and passwords from the victim’s device.

The attackers leverage Meta’s Ads Manager tool to specifically target male users on Facebook, primarily those aged 18 to 65 from Europe, Africa, and the Caribbean.

In an attempt to avoid detection, the threat actors use various names for their fake profiles and ad campaigns, such as Album Update, Album Girl News Update, Private Album Update, Hot Album Update Today, and Album New Update Today. These profiles display alluring images that prompt users to click the advertised links.

The malicious ads frequently feature descriptions like New stuff is online today and Watch now before it’s deleted to entice unsuspecting users into downloading the media archives.

These so-called “Albums” ultimately lead to repositories on platforms such as Bitbucket and Gitlab, housing archives that contain the malicious NodeStealer payload. As a result, the attacker gains unauthorized access to the victim’s system and compromises their privacy and security.

The dynamic nature of this attack is highlighted by the attackers’ practice of rotating between a maximum of five active ads every 24 hours to evade detection by vigilant users.