An advanced version of the NodeStealer malware, previously identified by Meta in May 2023, has evolved to aggressively target Facebook Ads Manager accounts, escalating its threat by extracting credit card information directly from web browsers.

Research Findings

According to a Netskope Threat Labs report shared with The Hacker News, NodeStealer now deploys several sophisticated techniques: - Utilizes Windows Restart Manager to free up browser database files for access. - Introduces junk code and batch scripts to dynamically execute its Python-based payload. - Initiated as a JavaScript malware, NodeStealer has transitioned to Python, enhancing its capability to hijack Facebook accounts.

Threat Actor Profile

The malware is believed to be crafted by threat actors in Vietnam, known for targeting Facebook advertising and business accounts for various malicious endeavors.

Operational Tactics

Targets Facebook Ads Manager to facilitate malvertising campaigns. - Exfiltrates data using Telegram, highlighting its continued misuse by cybercriminals. - Specifically avoids targeting systems located in Vietnam, likely to evade local law enforcement.

Current Campaigns

NodeStealer is suspected of aiding malvertising by impersonating reputable software like Bitwarden through Facebook ads, misleading users into installing harmful extensions.

Phishing Emails and RAT Deployment

Coinciding with NodeStealer developments, Cohense reports emerging phishing strategies that deploy malicious payloads such as I2Parcae RAT and PythonRatLoader. These campaigns leverage web contact forms and invoice-themed emails to evade security defenses, with notable TTPs targeting Secure Email Gateways and abusing Windows functionalities for persistence and data exfiltration.

Notable Techniques

ClickFix, a method tricking users into self-infection by executing false CAPTCHA verifications, is gaining traction among multiple threat actors. - This method is leveraged by actors to distribute Remote Access Trojans like Brute Ratel C4 and has been suspected in Russian espionage against Ukrainian institutions. -

Phishing Tactics

Advanced phishing attacks have been observed using fake Docusign requests to induce financial fraud among contractors and vendors, leading to potential business disruptions and unauthorized financial transactions. These developments highlight the ever-evolving landscape of cyber threats and underscore the critical need for vigilance against sophisticated social engineering and malware campaigns. For more detailed analysis and updates on malware trends, follow Vault33 on Twitter and LinkedIn.

The link has been copied!