Meta is warning of the emergence of “aggressive and persistent” new strains of malware targeting business users of popular platforms including Facebook, Gmail and Outlook.
The malware is deployed through malicious browser extensions, ads, and social media platforms to steal cookies and business account credentials that criminals can then use to run unauthorized ad campaigns.
Facebook’s security team posted Wednesday that, so far this year, its engineers have discovered around 10 new variants of information-stealing malware across Meta’s platforms, which include Instagram and WhatsApp.
The new malware includes some posing as ChatGPT browser extensions and productivity tools, new iterations of the well-known Ducktail information-stealer and some previously unknown strains.
“These malware families target people through email phishing, malicious browser extensions, ads and mobile apps, and various social media platforms with an aim to run unauthorized ads from the compromised business accounts across the internet,” Facebook engineers Nathaniel Gleicher and Ryan Victory wrote.
Threat actors typically disguise malware within innocuous-looking files, as well as in mobile apps or browser extensions available in official app stores. They often latch onto the latest tech or business productivity tools to hide their malware and trick people into clicking on or downloading it.
To target businesses, malware groups often go after the personal accounts of people who manage social media business pages and advertising accounts.
This can include stealing cookies containing valid user session tokens, a tactic that can allow criminals to gain access to accounts without the need for passwords, and to bypass any two-factor authentication protection.
In another post Wednesday, Victory and fellow Facebook engineer Duc Nguyen revealed the existence of NodeStealer, a new malware strain the team discovered in January that is a Windows executable (.exe) file typically disguised as a PDF or Excel file.
The malware is written in JavaScript, executed using Node.js, and compiled into a Windows executable with a tool from the Node Package Manager called pkg. It attempts to steal stored password and cookie session information from Chromium-based browsers including Chrome, Opera, Microsoft Edge and Brav.
NodeStealer specifically targets user credentials for Facebook, Gmail and Outlook.
“We hypothesize that the malware steals email credentials to compromise the user’s contact point and potentially to access other online accounts connected to that email account,” Nguyen and Victory said.
When it is able to retrieve Facebook credentials from the target’s browser data, the malware uses them to steal advertising account information by making requests to the APIs used by Facebook web and mobile apps. The stolen data is then exfiltrated to the threat actor’s command-and-control server.
“The stolen information then enables the threat actor to assess and then use users’ advertising accounts to run unauthorized ads,” Facebook wrote.
The engineers say they have not observed any new samples of malware in the NodeStealer family since February 27. Because they identified it within two weeks of its initial deployment, Meta was able to effectively disrupt its wider distribution by submitting takedown requests to third-party registrars, hosting providers, and application services which were used to spread it.
“Because these malicious groups are financially motivated, we expect them to continue probing defenses by diversifying their operations to spread across the internet so they can withstand disruptions by any one company — ours included,” Nguyen and Victory wrote.