Python NodeStealer Hacks Facebook Business Logins

NodeStealer, an evolving Python-based malware, has expanded its data theft capabilities by targeting sensitive financial information like credit card details and Facebook Ads Manager budget data, potentially enabling malicious ad campaigns.

The malware employs advanced techniques, including Windows Restart Manager exploitation, code obfuscation, and dynamic script generation, to evade detection and maximize its impact.

New NodeStealer variants target Facebook Ads Manager using stolen cookies to generate access tokens via Graph API, which allows attackers to collect budget details, likely for launching malicious advertising campaigns. 

Routine to collect Facebook Ads Manager token

It targets Facebook Ads Manager accounts outside Vietnam by collecting sensitive account information, including ID, name, currency, country, spending limits, and payment details. 

The data is extracted using Graph API requests and stored locally, as the malware avoids targeting Vietnamese IP addresses to evade detection and legal consequences.

By leveraging Windows Restart Manager, a legitimate Microsoft tool, it unlocks and steals database files, where attackers can bypass security measures and exfiltrate sensitive information undetected. 

Routine to unlock browser database files

The Python infostealer bypasses file locking by integrating with Windows Restart Manager, which identifies locked database files, registers them with the manager, and then forcefully terminates the locking processes to gain access and extract sensitive information. 

Python-based NodeStealer variants now steal credit card information by extracting and querying the “Web Data” SQLite database of targeted browsers, which stores sensitive data like autofill information and saved payment methods, allowing attackers to access the victim’s credit card details. 

It has evolved to use a more stealthy persistence method by leveraging the current user’s Run key registry to execute a PowerShell script, which in turn launches a malicious Python script, ensuring the malware’s persistence on the infected system. 

Junk code

The malware variants contain large amounts of extraneous code, likely inserted to evade detection by file size-based systems or to hinder analysis, ranging from 6 to 3.9 million characters, preceding the actual malicious script.

The batch file, embedded with Python infostealer code, echoes the script line-by-line into a separate file, effectively generating and executing the malicious payload locally without relying on external sources.

According to Netskope, NodeStealers exfiltrate stolen credentials and system information, including IP address, country, and hostname, to Telegram, where data is stored in text files, zipped, and sent to the attacker. 

Python NodeStealer has evolved, targeting Facebook Ads Manager and credit card data by employing new techniques, necessitating updated security controls for detection, prevention, and threat hunting. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here