NodeStealer Evolves with Python to Exploit Facebook Ads Manager
Threat Group: Unattributed; suspected Vietnamese origin
Threat Type: Information-Stealing Malware
Exploited Vulnerabilities: Browser session cookies, Facebook Business accounts
Malware Used: NodeStealer
Threat Score: High (8.8/10) — Due to its focus on Facebook Ads Manager and credit card data theft.
Last Threat Observation: November 23, 2024
Overview
NodeStealer, first identified in early 2023, is an information-stealing malware targeting Facebook Business accounts and browser-stored credentials. The malware has evolved significantly, employing Python-based variants to exploit new targets such as Facebook Ads Manager and credit card data stored in browser databases. Recent campaigns indicate a deliberate focus on malvertising, leveraging Facebook Ads Manager for malicious ad campaigns. These techniques highlight the advanced evolution of NodeStealer, enabling attackers to exfiltrate critical business and personal data.
Key Findings
- Target Expansion:
- New variants target Facebook Ads Manager accounts, collecting budget details and account information.
- Expands theft capabilities to include credit card information stored in browser databases.
- Techniques:
- Employs Windows Restart Manager to unlock browser database files for data extraction.
- Uses junk code to obfuscate malicious scripts and evade detection.
- Dynamically generates and executes Python scripts via batch files.
- Continues to use Telegram for exfiltrating stolen data.
- Malware Avoidance:
- Avoids victims in Vietnam by checking country codes through ipinfo.
- Leverages legal blind spots to avoid local prosecution.
Key Details: NodeStealer’s Enhanced Capabilities
Facebook Ads Manager Targeting
NodeStealer uses stolen cookies to generate an access token, allowing attackers to extract sensitive Ads Manager data via Facebook’s Graph API. Extracted details include:
| Variable Name | Description |
|---|---|
| idtkqc | Account ID |
| name | Account Name |
| tiente | Account currency |
| qg | Country Code |
| limit | Total daily amount spent on ads |
| adspaymentcycle | Budget for ad campaigns |
| duno | Cap for total campaign spend |
| trangthai | Account status |
| dachitieu | Amount spent |
Credit Card Theft
By querying the "Web Data" SQLite database from browsers, NodeStealer exfiltrates credit card details, including:
- Cardholder name
- Card expiration date
- Card number
Windows Restart Manager Abuse
NodeStealer utilizes Restart Manager to unlock browser database files for data extraction without triggering system reboots, increasing stealth.
Obfuscation with Junk Code
Some variants contain millions of characters of junk code, increasing the script's size to evade analysis.
Persistence via Run Registry Keys
Recent samples leverage PowerShell commands and run registry keys for persistence, ensuring malware executes during system startup.
Dynamic Script Generation
Certain samples dynamically generate Python scripts via embedded batch files, allowing for payload flexibility.
Indicators of Compromise (IoCs)
File Hashes (MD5)
- cdc07796ddeea6d839358bc5dc171838
- d58b6bf659089148234cf880012682ab
- b3a000158c53633aae897d5902550dc1
- dcfea657edabe54fc43261d5dd486d55
- f21cfe732873f90927d69552c3fa1ada
File Hashes (SHA-256)
- 4613225317e768d6d69b412843a314e2af64960856a0cfd798ed52285867bc36
- c5d4e4d9fa2c201d74a14fd1972b670fde243f087451a3a7dc52a9a6db61a1cb
- 641f2db9e9fb8255337672fb8da9226225fa8e393b651c7c7ebbb5b555d4b755
- ea25dd47b43ddaa3df11e6d16544702a8fabbcd0031ba11d1df51461704a8973
- 8dcced38514c8167c849c1bba9c3c6ef20f219a7439d2fc1f889410e34d8f6c9
File Hashes (SHA1)
- 50406e911960d5b6a552c378ce0bd236518194bf
- 8c54843a3d643c08c805d5205f9220e40c07377a
- f3152afb08e7e45735285064079aa75b99b3ab05
- 354bf3e5b82a705d311759338d5e3db28f5e6ad4
- e3112cc5082c05da587c81589e47a37065364d5b
Malicious Domains
- hxxp://34.82.20.84:3000/v1/botlog/key
URLs
- hxxps://bitbucket[.]org/lxsoft/store/src/master/
- hxxps://gitlab[.]com/rftsoft/ase
- hxxps://dl.dropbox[.]com/scl/fi/mioy6rz517smvxsyi32wn/
Mitigation and Prevention
- User Awareness
Educate employees on recognizing malicious advertisements and phishing tactics. - Antivirus Protection
Deploy advanced endpoint protection capable of detecting Python-based threats. - Two-Factor Authentication (2FA)
Enable 2FA on Facebook Business accounts to mitigate unauthorized access. - Monitor Network Traffic
Analyze traffic patterns for signs of exfiltration to Telegram servers. - Regular Updates
Keep all software, especially web browsers, up-to-date to patch known vulnerabilities. - Restrict PowerShell Execution
Limit access to PowerShell for non-administrative users to prevent misuse.
Conclusion
NodeStealer represents a significant threat to organizations managing sensitive online assets like Facebook Ads Manager accounts. With its evolution to target credit card details and use sophisticated techniques like Restart Manager and dynamic script generation, the malware demonstrates a high level of adaptability. Vigilant monitoring, robust security configurations, and consistent user education are essential in defending against these advanced threats.
Sources:
- Netskope Threat Labs, "Python NodeStealer Targets Facebook Ads Manager with New Techniques,"
- Bitdefender Labs, "NodeStealer and Malvertising Campaigns,"
- The Hacker News, "NodeStealer Malware Targets Facebook Ad Accounts, Harvesting Credit Card Data."