Python Variant of NodeStealer – Targeting Facebook Business Accounts and Cryptocurrency
Cybersecurity researchers from Palo Alto Network Unit 42 have recently discovered a Python variant of the infamous NodeStealer malware. This sophisticated strain is now fully equipped to not only take over Facebook business accounts but also to siphon cryptocurrency, making it a grave threat to both individuals and organizations. The campaign carrying this stealthy malware began in December 2022, but there is currently no evidence of its active presence.
Initially exposed by Meta in May 2023, NodeStealer was known as a potent stealer capable of harvesting sensitive data such as cookies and passwords from web browsers. It aimed to compromise Facebook, Gmail, and Outlook accounts. While earlier versions of NodeStealer were written in JavaScript, the latest iterations employ Python, showcasing the malware’s evolving capabilities.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
The attack campaign commences with deceptive messages circulating on Facebook, offering free “professional” budget tracking Microsoft Excel and Google Sheets templates. Unsuspecting victims are tricked into downloading a ZIP archive file hosted on Google Drive. Concealed within this ZIP file lies the malicious stealer executable, designed to capture valuable information from Facebook business accounts. In addition, it deploys BitRAT and XWorm malware in the form of ZIP files, disables Microsoft Defender Antivirus, and conducts cryptocurrency theft by exploiting MetaMask credentials from Google Chrome, Cốc Cốc, and Brave web browsers.
To facilitate the downloads of additional malware, the attackers utilize a User Account Control (UAC) bypass technique employing fodhelper.exe. This method allows the execution of PowerShell scripts that retrieve the ZIP files from a remote server, granting attackers elevated privileges over infected hosts.
Notably, Unit 42 has identified an upgraded Python variant of NodeStealer, exhibiting anti-analysis features and advanced capabilities. It now parses emails from Microsoft Outlook and makes attempts to take over the associated Facebook account.
Trending: Offensive Security Tool: Nucleimonst3r
Once the necessary information is collected, the malware exfiltrates the files through the Telegram API before promptly erasing any trace of its activity from the infected machine.
NodeStealer has emerged as a prominent part of a concerning trend among Vietnamese threat actors, who are increasingly targeting Facebook business accounts for advertising fraud and disseminating malware to other users on the social media platform.
In light of these emerging threats, Facebook business account owners are urged to implement strong passwords and enable multi-factor authentication. Additionally, organizations should prioritize educating their staff about phishing tactics, particularly modern and targeted approaches that exploit current events and business needs, to defend against such pernicious cyberattacks.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
