Saturday, March 29, 2025
HomeCyber Security NewsNew Python NodeStealer Attacking Facebook Business To Steal Login Credentials

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

Published on

SIEM as a Service

Follow Us on Google News

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets Facebook Ads Manager accounts, stealing sensitive financial and business data in addition to credit card details and browser information. 

The malware is delivered through spear-phishing emails with malicious links, uses DLL sideloading and encoded PowerShell for stealthy execution, and exfiltrates data via Telegram. 

Infection chain
Infection chain

The attack commenced with a spear-phishing email, disguised as a copyright infringement notice, delivered from a compromised Gmail account, which enticed recipients to click on a malicious link concealed within a seemingly innocuous PDF document. 

Upon clicking, the infected PDF exploited vulnerabilities in the target devices, enabling the installation of stealthy malware. This insidious malware, once installed, secretly exfiltrated sensitive information from the compromised systems.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Email sample with the malicious embedded link 
Email sample with the malicious embedded link 

Clicking a malicious email link triggers the download of the zipped archive “Nombor Rekod 052881.zip.” Extracting the archive injects several suspicious files: “GHelper.dll” and “oledlg.dll” are likely Dynamic Link Libraries (DLLs) used by the malware. 

“Nombor Rekod 052881.exe” is the main executable file, while “hpreaderfprefs.dat” could be a data file for storing settings. 

The “images” folder contains a “.bat” batch script (“active-license.bat”) and a suspicious executable (“license-key.exe”), possibly used for licensing or further malicious actions, and  another archive, “license.rar,” might hold additional malware components. 

Malicious encoded PowerShell execution
Malicious encoded PowerShell execution

The Nombor Rekod 052881.exe PDF reader was exploited to sideload the malicious oledlg.dll, which masquerading as a legitimate system file, executed a batch script, images\active-license.bat, under the guise of the PDF reader. 

This batch script, in turn, triggered a PowerShell command, enabling the malware to operate undetected and carry out its malicious activities. 

A malicious PowerShell script hides its window, creates a folder, and unarchives a password-protected RAR file containing a portable Python interpreter, which downloads and executes a decoy PDF while simultaneously dropping a persistence mechanism in the Startup folder.

It also downloads the final malicious payload directly from a remote server using Python’s `requests` library and executes it in a hidden command prompt. 

Python script to execute Python bytecode directly
Python script to execute Python bytecode directly

It leverages obfuscation techniques to deliver an infostealer payload, as the malware initially downloads a Python script from a remote server and executes it in-memory, which decrypts and executes a second-stage payload, which is designed to steal sensitive information, including credit card data and web browser credentials. 

The malware also targets Facebook Ads Manager accounts to extract financial and business-related data, which is then exfiltrated to specific Telegram channels using a dedicated bot API. 

Targeting Facebook Ads Manager accounts
Targeting Facebook Ads Manager accounts

According to Trend Micro, NodeStealer, an advanced malware variant, targets Facebook Ads Manager accounts, credit card information, and browser data and employs sophisticated techniques to evade detection. 

To counter this threat, individuals and organizations should maintain vigilance against suspicious emails, educate users about phishing tactics, and regularly scan systems for malware. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Gamaredon Hackers Weaponize LNK Files to Deliver Remcos Backdoor

Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group,...

“Crocodilus” A New Malware Targeting Android Devices for Full Takeover

Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial...

SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk

From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging...

Hackers Exploit DNS MX Records to Create Fake Logins Imitating 100+ Brands

Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed "Morphing Meerkat," that leverages...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Gamaredon Hackers Weaponize LNK Files to Deliver Remcos Backdoor

Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group,...

“Crocodilus” A New Malware Targeting Android Devices for Full Takeover

Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial...

Hackers Exploit DNS MX Records to Create Fake Logins Imitating 100+ Brands

Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed "Morphing Meerkat," that leverages...