Analysis Summary

Threat hunters are alerting users about a new version of the Python-based NodeStealer that can now harvest credit card information from web browsers and extract additional information from victims' Facebook Ads Manager accounts.

The researchers said, “They collect budget details of Facebook Ads Manager accounts of their victims, which might be a gateway for Facebook malvertisement.”

NodeStealer's new methods include injecting garbage code, utilizing Windows Restart Manager to unlock browser database files, and using a batch script to construct and run the Python script dynamically. First made public by Meta in May 2023, NodeStealer began as JavaScript malware before developing into a Python stealer that could collect Facebook account info to aid in its takeover.

Vietnamese threat actors are thought to have created it, and they have a track record of using other malware families that focus on taking over Facebook advertising and business accounts to support other nefarious endeavors. In addition to targeting Facebook Business accounts, the most recent report reveals that NodeStealer artifacts have started to target Facebook Ads Manager accounts, which are used to run ad campaigns across Facebook and Instagram. It is believed that the attackers' goal in doing this is not just to take over Facebook accounts but also to turn them into weapons for use in malvertising operations that spread the malware by disguising it as well-known software or games.

Researchers discovered several Python NodeStealer samples that use the Facebook Graph API to gather account budget information. Using cookies gathered from the victim's computer, the samples first create an access token by logging onto adsmanager.facebook[.]com. The malware's origins are further cemented by the fact that, in addition to gathering the tokens and business-related data associated with those accounts, it has a check specifically made to prevent infecting Vietnamese computers to elude law authorities.

Furthermore, it has been discovered that some NodeStealer samples unlock SQLite database files that may be being used by other processes by using the genuine Windows Restart Manager. This is done to steal credit card information from different web browsers. Telegram is used for data exfiltration, demonstrating that even with recent policy modifications, the chat app remains a vital conduit for cybercriminals.

Facebook malvertising is a profitable attack route that frequently spreads various infections by posing as reliable brands. This is demonstrated by the advent of a new campaign that began on November 3, 2024, and used Facebook-sponsored advertising to install a malicious Google Chrome extension by imitating the Bitwarden password manager program. The malware targets Facebook business accounts and collects personal information, which could result in losses for both individuals and companies. This campaign demonstrates once more how threat actors take advantage of well-known websites like Facebook to trick individuals into jeopardizing their personal security.

Impact

• Financial Loss
• Sensitive Data Theft
• Data Exfiltration

Indicators of Compromise

MD5

• cdc07796ddeea6d839358bc5dc171838
• d58b6bf659089148234cf880012682ab
• b3a000158c53633aae897d5902550dc1
• dcfea657edabe54fc43261d5dd486d55
• f21cfe732873f90927d69552c3fa1ada

SHA-256

• 4613225317e768d6d69b412843a314e2af64960856a0cfd798ed52285867bc36
• c5d4e4d9fa2c201d74a14fd1972b670fde243f087451a3a7dc52a9a6db61a1cb
• 641f2db9e9fb8255337672fb8da9226225fa8e393b651c7c7ebbb5b555d4b755
• ea25dd47b43ddaa3df11e6d16544702a8fabbcd0031ba11d1df51461704a8973
• 8dcced38514c8167c849c1bba9c3c6ef20f219a7439d2fc1f889410e34d8f6c9

SHA1

• 50406e911960d5b6a552c378ce0bd236518194bf
• 8c54843a3d643c08c805d5205f9220e40c07377a
• f3152afb08e7e45735285064079aa75b99b3ab05
• 354bf3e5b82a705d311759338d5e3db28f5e6ad4
• e3112cc5082c05da587c81589e47a37065364d5b

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.