Hackers employ an extensive network of counterfeit and compromised Facebook accounts to dispatch millions of phishing messages via Messenger, aiming at Facebook business accounts. Their objective is to install password-stealing malware on these accounts.
The attackers deceive their targets into downloading a RAR/ZIP archive containing a downloader for an elusive Python-based data thief that extracts cookies and passwords stored in the victim’s web browser.
According to a recent report from Guardio Labs, researchers caution that roughly one out of seventy of these targeted accounts eventually falls victim to compromise, resulting in significant financial losses.
The Facebook Messenger phishing scheme begins with the hackers sending phishing messages to Facebook business accounts, masquerading as copyright violation notices or requests for additional product information.
The attached archive includes a batch file that, when executed, retrieves a malware dropper from GitHub repositories to avoid detection and minimize detectable traces.
In addition to the payload (project.py), the batch script fetches a self-contained Python environment needed by the data-stealing malware and establishes persistence by configuring the malware to launch during system startup.
The project.py file incorporates five layers of obfuscation, making it challenging for antivirus software to detect the threat.
The malware gathers all cookies and login data stored in the victim’s web browser, storing them in a ZIP archive named ‘Document.zip,’ and then transmits the stolen information to the hackers via the Telegram or Discord bot API.
Subsequently, the data thief erases all cookies from the victim’s device, effectively logging them out of their accounts. This gives the scammers ample time to take over the newly compromised account by changing its passwords.
Due to the lag in social media companies’ responses to emails regarding hijacked accounts, threat actors have a window of opportunity to engage in fraudulent activities using the compromised accounts.
Campaign Scale:
While the attack chain itself is not novel, the scale of the campaign detected by Guardio Labs is deeply concerning. Researchers report an approximate volume of 100,000 phishing messages sent out weekly, primarily targeting Facebook users in North America, Europe, Australia, Japan, and Southeast Asia.
Guardio Labs reveals that this campaign’s scope is such that approximately 7% of all Facebook business accounts have been subjected to targeting, with 0.4% having downloaded the malicious archive.
To become infected by the malware, users must still execute the batch file, so the precise number of hijacked accounts remains unknown but could be substantial.
Attribution to Vietnamese Hackers:
Guardio attributes this campaign to Vietnamese hackers based on the malware’s strings and the use of the “Coc Coc” web browser, which is reportedly popular in Vietnam.
Guardio explains, “This python stealer reveals the Vietnamese origin of these threat actors,” noting that the message “Thu Spam lần thứ,” sent to the Telegram bot with an appended execution time counter, translates from Vietnamese as “Collect Spam for the X time.”
Vietnamese threat groups have been involved in large-scale campaigns targeting Facebook throughout the year, often monetizing stolen accounts by reselling them on Telegram or dark web markets.
In May 2023, Facebook announced that it had disrupted a campaign of Vietnamese origin that deployed a new info-stealer malware named ‘NodeStealer,’ which was designed to steal browser cookies.
In April 2023, Guardio Labs reported another incident involving a Vietnamese threat actor who exploited Facebook’s Ads service to infect approximately half a million users with info-stealing malware.