Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced techniques, whereas recent variants focus on stealing Facebook Ads Manager budget details, potentially enabling malicious ad campaigns. 

Now they pilfer credit card information alongside browser credentials, and to bypass security measures, the malware utilizes Windows Restart Manager to unlock browser databases and incorporates obfuscation techniques like junk code. 

Additionally, it makes use of batch scripts in order to dynamically generate and execute the Python script, which adds an additional layer of complexity to its operations.

A new variant of NodeStealer malware targets Facebook Ads Manager accounts in addition to Facebook Business accounts, which steals login credentials, cookies and leverages them to generate access tokens via the Facebook Graph API. 

The malware then collects detailed information on the compromised account, including ID, name, currency, spending limits, and spending history.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Interestingly, it avoids targeting Vietnamese users by checking the victim’s IP address and exiting if it detects a Vietnam location, suggesting Vietnamese attackers target users outside their country to evade local law enforcement. 

The Python NodeStealer leverages Windows Restart Manager to unlock browser database files, enabling the theft of sensitive information, which involves registering database files with Restart Manager and using the `RmShutdown` function to terminate processes locking these files. 

The malware also extracts credit card information from the “Web Data” SQLite database, which stores autofill data and saved payment methods.

By querying this database, the attacker can obtain crucial financial details like cardholder name, expiration date, and card number.

NodeStealer variants have evolved to employ more sophisticated persistence techniques, as they now leverage the current user’s run registry key to achieve auto-start on system boot, bypassing traditional startup folder methods. 

To evade detection, these variants incorporate extensive junk code to obfuscate the malicious script, and dynamic generation through batch files is used to assemble and execute the Python infostealer locally, eliminating the need for external downloads. 

According to Netskope, stolen data continues to be exfiltrated via Telegram, with the addition of system information like IP address, country, and hostname to the payload.

Recent Python NodeStealer variants have emerged, targeting Facebook Ads Manager and credit card data by employing distinct techniques compared to previous versions. 

To mitigate these threats, security teams should implement enhanced detection, prevention, and hunting strategies tailored to these specific tactics.

Organizations can effectively protect their systems and sensitive data by staying informed about the latest techniques used by these malware variants.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.