Netskope Reports on Evolving NodeStealer Malware Targeting Facebook Accounts
/ 3 min read
Quick take - In September 2023, Netskope Threat Labs reported on NodeStealer, a Python-based malware that targets Facebook business accounts to collect sensitive information, including login credentials and credit card details, while employing advanced techniques to evade detection and communicate with attackers suspected to be Vietnamese.
Fast Facts
- NodeStealer Overview: A Python-based malware targeting Facebook business accounts, under observation since 2022, with multiple evolving variants.
- Data Collection: Aims to collect sensitive information, including login credentials, cookies, credit card details, and data from Facebook Ads Manager.
- Advanced Techniques: Utilizes methods like the Windows Restart Manager to access locked browser files and incorporates junk code to evade detection.
- Communication and Exfiltration: Suspected Vietnamese attackers avoid local victims and use Telegram for data exfiltration, sending zipped files with stolen information.
- Defensive Measures: Indicators of Compromise (IOCs) related to NodeStealer are available on GitHub, aiding cybersecurity professionals in threat identification and mitigation.
NodeStealer: A Python-Based Malware Targeting Facebook Business Accounts
In September 2023, Netskope Threat Labs released a comprehensive report on a Python-based malware named NodeStealer. This malware is specifically designed to target Facebook business accounts and has been under observation for over a year. During this period, it has evolved through the introduction of multiple variants, utilizing new techniques and targeting a broader range of victims.
Capabilities and Functionality
NodeStealer primarily aims to collect sensitive information, including login credentials, cookies, and more recently, credit card details. The malware is capable of extracting data from the Facebook Ads Manager, a tool used for managing advertising campaigns on platforms like Facebook and Instagram. Its new functionalities allow it to collect budget details from these accounts, further enhancing its malicious capabilities.
Recent variants of NodeStealer employ advanced techniques to bypass detection and extract information effectively. For instance, the malware uses the Windows Restart Manager, which unlocks browser database files that may be in use, facilitating access to stored credentials. To avoid detection by security systems, NodeStealer incorporates a significant amount of junk code, increasing the size of its executable. Additionally, it utilizes a batch script to dynamically generate and execute the malicious Python script.
Data Collection and Exfiltration
The malware collects vital information by generating an access token through the Facebook Graph API. It logs into the Facebook Ads Manager using cookies obtained from the victim and gathers business account details, including variables such as Account ID, Account Name, currency, country code, daily spending limit, and total ad expenditure. This information is stored in a text file named “data.txt” within the TEMP folder.
Furthermore, NodeStealer has shown capabilities to extract credit card information from the “Web Data” SQLite database, pulling sensitive details such as cardholder names, expiration dates, and card numbers. Some variants achieve persistence by leveraging the current user’s run key registry and employ PowerShell to execute the malicious script.
Interestingly, the attackers behind NodeStealer are suspected to communicate in Vietnamese while specifically avoiding targeting victims located in Vietnam by checking the victim’s country code. For data exfiltration, all analyzed NodeStealer samples utilize Telegram, sending zipped files containing the stolen data and information about the victims.
Conclusion
The evolving nature of NodeStealer’s targeting and techniques highlights the need for enhanced defensive measures. Indicators of Compromise (IOCs) related to this campaign have been made available in a GitHub repository, providing additional resources for cybersecurity professionals to help identify and mitigate the threat posed by NodeStealer.
Original Source: Read the Full Article Here
