Python NodeStealer Targets Facebook Business Accounts for Credential Theft.

Home/BOTNET, Compromised, Exploitation, malicious cyber actors, Malware, Security Advisory, Security Update/Python NodeStealer Targets Facebook Business Accounts for Credential Theft.

Python NodeStealer Targets Facebook Business Accounts for Credential Theft.

The Python-based NodeStealer has evolved, now targeting Facebook Ads Manager budgets, stealing credit card info, and browser credentials. It uses Windows Restart Manager to unlock databases and employs obfuscation techniques like junk code to bypass security.

All about NodeStealer

NodeStealer also uses batch scripts to generate and run the Python script, adding complexity to its operations. A new variant now targets Facebook Ads Manager accounts, stealing login credentials and cookies, then using them to create access tokens through the Facebook Graph API.

The malware gathers account details like ID, name, currency, spending limits, and spending history. It avoids Vietnamese users by checking the victim’s IP and exiting if it detects a Vietnam location, suggesting local attackers focus on targets outside their country to avoid law enforcement.

NodeStealer uses Windows Restart Manager to unlock browser database files, allowing it to steal sensitive data. It registers the database files with Restart Manager and uses the RmShutdown function to stop processes locking these files.

The malware targets the “Web Data” SQLite database, which contains autofill data and saved payment information. By querying this database, NodeStealer can extract sensitive financial details, such as the cardholder’s name, card number, and expiration date. This information is valuable for carrying out unauthorized transactions or identity theft.

Newer NodeStealer variants have adopted more advanced techniques for persistence. Instead of relying on the commonly monitored startup folder, the malware now modifies the user’s run registry key. This ensures the malicious program launches automatically when the system boots up, allowing it to remain undetected longer by evading traditional security measures that focus on startup folder modifications.

To evade detection, recent NodeStealer variants use junk code and batch files to obfuscate and generate the Python script locally, avoiding external downloads.

According to Netskope, data is still exfiltrated via Telegram, now including system info like IP address, country, and hostname. These new versions target Facebook Ads Manager and credit card data, using updated tactics.

To counter these threats, security teams should adopt targeted detection, prevention, and threat-hunting strategies. Staying updated on the latest malware tactics helps organizations safeguard their systems and sensitive data effectively.

IOCs

SHA256

4613225317e768d6d69b412843a314e2af64960856a0cfd798ed52285867bc36
AE0712C02E750C35219214437D8794DA3BCD9FF608C3F59CDCA0934A958189D3
C6C0000ECF6AF93D0750C45FBD8AF0F8E2289F051DFD523C9550675017F27B53
58ED336B7AB7B84BA05892F9839ADCB13390D66B53532B62EC37CBCD6A7DE3FF
C5D4E4D9FA2C201D74A14FD1972B670FDE243F087451A3A7DC52A9A6DB61A1CB
641F2DB9E9FB8255337672FB8DA9226225FA8E393B651C7C7EBBB5B555D4B755
EA25DD47B43DDAA3DF11E6D16544702A8FABBCD0031BA11D1DF51461704A8973
4613225317e768d6d69b412843a314e2af64960856a0cfd798ed52285867bc36
8dcced38514c8167c849c1bba9c3c6ef20f219a7439d2fc1f889410e34d8f6c9
ea25dd47b43ddaa3df11e6d16544702a8fabbcd0031ba11d1df51461704a8973

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-11-28T23:50:53+05:30 November 26th, 2024|BOTNET, Compromised, Exploitation, malicious cyber actors, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!