Cybersecurity experts have raised alarms regarding a revamped version of the Python-based malware known as NodeStealer, which now has enhanced capabilities to extract sensitive information from victims’ Facebook Ads Manager accounts, including stored credit card data from web browsers.
According to Netskope Threat Labs researcher Jan Michael Alcantara, the attacker’s approach includes harvesting budget details from Facebook Ads Manager accounts, potentially paving the way for malicious advertising activities. Alcantara’s insights were shared in a report disseminated to The Hacker News.
This iteration of NodeStealer employs sophisticated techniques such as leveraging the Windows Restart Manager to access locked browser database files, incorporating extraneous code, and executing batch scripts to dynamically generate its Python script.
First identified by Meta in May 2023, NodeStealer originally emerged as JavaScript malware. It has since evolved into a Python-based trojan designed to collect data associated with Facebook accounts for potential takeovers. The malware is believed to originate from Vietnamese threat groups, who have a documented history of utilizing various malware types focused on compromising Facebook advertising and business accounts.
Recent assessments from Netskope suggest that NodeStealer is now specifically targeting Facebook Ads Manager accounts that facilitate ad campaigns for both Facebook and Instagram, in addition to affecting Facebook Business accounts. The malicious objective extends beyond mere account hijacking; criminals aim to utilize these accounts in malvertising campaigns that distribute malware under the guise of legitimate software or games.
Alcantara noted the malware’s ability to collect account budget details using the Facebook Graph API. This is accomplished by generating an access token through victim credentials obtained from cookies on their machines. Importantly, the malware includes checks to exclude machines located in Vietnam, a tactic likely designed to avoid detection by local law enforcement and reinforce its regional origins.
Furthermore, specific NodeStealer variants have been observed utilizing the legitimate Windows Restart Manager to unlock SQLite database files that may be inaccessible due to active processes, further attempting to extract credit card data from a range of web browsers. To exfiltrate this sensitive data, the malware employs Telegram, underscoring the platform’s continued use as a conduit for cybercriminal activities, despite recent policy changes regarding data handling.
Recent incidents in malvertising through Facebook highlight its effectiveness as an infection vector. For example, a campaign that began on November 3, 2024, masqueraded as the Bitwarden password manager in Facebook-sponsored ads, leading to the installation of a rogue Google Chrome extension. These trends reveal how threat actors exploit trusted platforms to distribute various malware types.
Bitdefender recently reported that this malware targets personal data and Facebook business accounts, presenting significant financial risks to individuals and companies alike. The report emphasizes the alarming effectiveness of these campaigns at exploiting reputable platforms to compromise user security.
Emergence of Phishing and RAT Distribution Techniques
In a related threat landscape, Cofense has alerted cybersecurity teams to new phishing schemes utilizing website contact forms and invoice-themed enticements to distribute malware such as I2Parcae RAT and PythonRatLoader. These techniques serve as conduits for delivering increasingly sophisticated remote access trojans.
I2Parcae is particularly notable for its distinctive tactics, including evasion of Secure Email Gateways (SEGs) by routing emails through legitimate infrastructure and employing deceptive CAPTCHAs to facilitate its malicious activities. Once executed, I2Parcae can disable Windows Defender, enumerate user accounts, extract browser cookies, and enable remote access. The attack pathway often includes engagement with enticing links that prompt targets to complete a fake CAPTCHA, leading them to run encoded PowerShell scripts—an approach termed ClickFix.
The ClickFix exploit has emerged as a favored vector among various unidentified threat actors for disseminating remote access trojans and other malicious frameworks. Notably, Russian espionage groups have reportedly made use of this technique to breach Ukrainian governmental networks.
In closing, this evolving threat landscape landscape represents a dual challenge—financial loss and potential disruption to operational processes. The targeting of trusted platforms such as Facebook and the utilization of sophisticated phishing tactics underscore the need for vigilant cybersecurity practices.
