As per recent media reports, cybersecurity experts have warned of a new variant of the Python-based NodeStealer malware that is now being used by threat actors. In this article, we’ll look at how the malware is leveraged to Facebook Ad accounts for acquiring credit card data, what can be done to strengthen defenses and more. Let’s begin!
NodeStealer Malware: Initial Discovery
The initial discovery of the NodeStealer malware dates back to September 2023 when it was reported by Netskope Threat Labs. Commenting on the malware, the cybersecurity experts initially stated that:
“NodeStealer collects Facebook and other credentials stored in the browser and its cookie data. For over a year, we have tracked and discovered multiple variants of this infostealer. It is now targeting new victims and extracting new information using new techniques.”
Before we dive into the details of the new malware targeting Facebook Ad accounts, there are a few things worth noting. First up, the new Python-based NodeStealer malware targets new information from victims in the form of ad account details. Such detail can later be used as a gateway for malvertisements on the social media platform.
In addition, the new malware is capable of stealing credit card information, as well as the user credentials that are stored within the browsers. Furthermore, the NodeStealers malware now relies on the use of new tactics that include using the Windows Restart Manager for unlocking browser database files and adding junk code.
Experts have also pointed out that the malware uses a batch script for the dynamic generation and execution of the Python script. As of now, the malware is being associated with Vietnamese threat actors given they are known for leveraging similar malware centered around Facebook advertising.
Facebook Malvertising Campaigns
Those keen on ensuring protection must know that the NodeStealer malware was originally based on JavaScript. However, a few months after its inception, it evolved into a Python-based infostealer that could exploit credentials and cookies.
The most recent detection of the malware highlights an alarming number of capabilities. In addition, it shows that these capabilities are designed for expanding the malware’s reach and disrupting victims on multiple fronts.
Facebook Ads Manager
The Facebook Ads Manager is a tool that social media users can utilize to manage paid advertisements on both Facebook and Instagram. However, to do that users must create Facebook Business Accounts. These accounts are the ones that have been targeted by the NodeStealer malware for the past year.
In addition, the NodeStealer malware hackers are known for collecting login credentials, cookies, and saved credentials. Cybersecurity professionals who have analyzed the samples of the attack stated that the same data is still being targeted, in addition to the Facebook Ads Manager. Providing insights about this, the experts have stated:
“We suspect the reason for targeting Ads Manager accounts is to leverage the stolen accounts to create malicious Facebook ads. We recently found several Python NodeStealer samples that collect budget details of the account using Facebook Graph API. The samples initially generate an access token by logging into adsmanager.facebook.com using cookies collected on the victim’s machine.”
After collecting the tokens, the NodeStealer malware samples begin to collect general information pertaining to the companies linked to the compromised account. For such an initiative, a GET request is sent to the business endpoint of Graph API. In addition, the results are saved in a file named “data.txt” located in the TEMP folder.
Once this information is acquired, a GET request is sent to the Ad Accounts endpoint of the Graph API. This acquires additional information and adds it to the file that was previously stored in the TEMP folder. Add account details targeted by the NodeStealer malware hackers include:
| Variable | Description |
| idtkqc | Account ID |
| name | Account Name |
| tiente (currency) | Account currency |
| qg | Country Code |
| limit | Total daily amount that can be spent on ads |
| adspaymentcycle | Amount that can be spent on ads |
| duno | Cap for total amount spent on a campaign |
| trangthai | Amount status |
| dachitieu | Amount spent |
It’s worth noting that some of the strings experts have found in the NodeStealer malware are in Vietnamese. In addition, the attacker has also been observed avoiding targeting victims in Vietnam by checking the country on code. Avoiding victims in one’s own country is a common practice among hackers as it helps them avoid legal consequences.
Windows Restart Manager
The Windows Restart Manager library is used for decreasing the need of rebooting after a software update. To do this, it restarts the process used for locking the files being updated. In the case of the NodeStealer malware, the restart manager is used to facilitate information theft.
It’s worth noting that using LOLBins such as the Window Restart Manager is what allows attackers to evade detection. For this, online threat actors often use Microsoft-signed binaries to achieve their goals. Commenting on the information theft, experts have stated that:
“The Python infostealer extracts sensitive information by copying browser database files into a temporary folder and leveraging Sqlite3 to query the targeted data. However, a challenge arises when these database files are locked by another process, preventing further operations. Windows Restart Manager is used to unlock database files that are locked by another process.”
In addition, the Restart Manager DLL is loaded using the Python-based NodeStealer malware via the windll.LoadLibrary. Once complete, it registers the database files with the Restart Manager for monitoring. Then, it uses the RmShutdown function to stop any process that is identified for locking the database files.
Stealing Information And Maintaining Persistence
Another critical aspect of the NodeStealer malware is stealing credit card information using a new functionality which entails copying the “Web Data” of all the targeted browsers. For those keen on ensuring security, Web Data is s SQLite database which stores potentially sensitive information. This allows the hackers to collect the victim’s:
- Name.
- Card expiration date.
- Card number.
Hackers acquire all this information by using Python’s SQLite3 library for running a query on the stolen database. Shedding light on how the malware pursues persistence, experts have stated that:
“From our previous threat post, NodeStealer persists on a machine through the startup folder, which can still be seen in some variants found in the wild. But some variants now use the current user’s run key registry instead, using Powershell to run Python and execute the malicious Python script.”
Ensuring Protection Against Online Threats
Online threats such as the NodeStealer malware are now leveraging complex tactics to compromise target devices and carry out malicious initiatives.
In such a diverse landscape, it’s essential to build familiarity and deploy proactive security measures. A few examples of such security protocols in this case, and for others similar to it, include:
- Enabling multi-factor authentication for an added layer of security.
- Regularly monitoring and auditing ads activity for responding to malicious activities.
- Detecting and preventing the abuse of legitimate libraries.
- Developing awareness pertaining to phishing attempts and malicious advertising.
- Implementing phishing simulations for determining employee readiness.
Conclusion
The emergence of NodeStealer malware highlights the ever-evolving tactics employed by cybercriminals to exploit vulnerabilities.
By targeting Facebook Ad accounts and leveraging tools like the Windows Restart Manager, this malware emphasizes the importance of robust cybersecurity practices. Staying vigilant, implementing multi-factor authentication, and regularly auditing account activities are essential steps for mitigating risks.
In addition, developing awareness around phishing attempts and securing browser-stored data can prevent potential breaches. As threat actors continue to adapt, a proactive and informed approach remains the best defense against increasingly sophisticated cyber threats like NodeStealer malware.
The sources for this piece include articles in The Hacker News and Netskope.
________________________________________________
Here, we share the latest updates from the world of Cloud Hosting and the most relevant news from our business partners. Discover trends, innovations, and key opportunities shaping our industry. 💡🌐
Thank you for joining us on this journey. 💙 Explore with us and be part of the digital future!
