NodeStealer, an evolving Python-based malware, has expanded its data theft capabilities by targeting sensitive financial information like credit card details and Facebook Ads Manager budget data, potentially enabling malicious ad campaigns.
The malware employs advanced techniques, including Windows Restart Manager exploitation, code obfuscation, and dynamic script generation, to evade detection and maximize its impact.
New NodeStealer variants target Facebook Ads Manager using stolen cookies to generate access tokens via Graph API, which allows attackers to collect budget details, likely for launching malicious advertising campaigns.
It targets Facebook Ads Manager accounts outside Vietnam by collecting sensitive account information, including ID, name, currency, country, spending limits, and payment details.
The data is extracted using Graph API requests and stored locally, as the malware avoids targeting Vietnamese IP addresses to evade detection and legal consequences.
By leveraging Windows Restart Manager, a legitimate Microsoft tool, it unlocks and steals database files, where attackers can bypass security measures and exfiltrate sensitive information undetected.
The Python infostealer bypasses file locking by integrating with Windows Restart Manager, which identifies locked database files, registers them with the manager, and then forcefully terminates the locking processes to gain access and extract sensitive information.
Python-based NodeStealer variants now steal credit card information by extracting and querying the “Web Data” SQLite database of targeted browsers, which stores sensitive data like autofill information and saved payment methods, allowing attackers to access the victim’s credit card details.
It has evolved to use a more stealthy persistence method by leveraging the current user’s Run key registry to execute a PowerShell script, which in turn launches a malicious Python script, ensuring the malware’s persistence on the infected system.
The malware variants contain large amounts of extraneous code, likely inserted to evade detection by file size-based systems or to hinder analysis, ranging from 6 to 3.9 million characters, preceding the actual malicious script.
The batch file, embedded with Python infostealer code, echoes the script line-by-line into a separate file, effectively generating and executing the malicious payload locally without relying on external sources.
According to Netskope, NodeStealers exfiltrate stolen credentials and system information, including IP address, country, and hostname, to Telegram, where data is stored in text files, zipped, and sent to the attacker.
Python NodeStealer has evolved, targeting Facebook Ads Manager and credit card data by employing new techniques, necessitating updated security controls for detection, prevention, and threat hunting.