NodeStealer, a malware initially JavaScript-based, has evolved into a Python-based threat, expanding its data-stealing capabilities.
A campaign targeting a Malaysian educational institution linked to a Vietnamese group highlights its ability to steal credit card details, browser data, and sensitive information from Facebook Ads Manager accounts.
A spear-phishing email triggers the infection chain, delivering a malicious payload disguised as a legitimate application by leveraging advanced techniques like DLL sideloading and encoded PowerShell to evade security measures and execute the final payload, ultimately exfiltrating data via Telegram.
It has evolved to target Facebook Ads Manager accounts, which exfiltrate sensitive data, including credit card details, browser history, and critical financial information from compromised systems, posing a significant threat to both individuals and businesses.
It was likely orchestrated by a Vietnamese group and employed spear-phishing emails written in Bahasa Melayu but with suspicious subject lines, indicating potential machine translation.
The attack began with a spearphishing email containing a malicious PDF link. Once clicked, the PDF exploited device vulnerabilities, enabling malware installation and data theft.
An attacker employs a social engineering technique by sending a deceptive copyright infringement notice to trick users into clicking malicious links or downloading harmful files. The fraudulent notice mimics a legitimate authority, pressuring users to take hasty action without scrutiny.
While clicking a malicious email link downloads “Nombor Rekod 052881.zip,” which extracts suspicious files including likely DLLs, executables, and a batch script, potentially compromising the system.
The Nombor Rekod 052881.exe PDF reader was abused to sideload the malicious oledlg.dll, which, once loaded, executed a batch file (images\active-license.bat) using the command prompt, enabling the malware to operate undetected and carry out its malicious activities.
Decoded PowerShell hides the console, creates a folder, and unarchives password-protected license.rar (containing portable Python) to the user’s Chrome application data directory.
The malware downloads a decoy PDF, executes it using Adobe Acrobat, establishes persistence via a startup link, and finally downloads and executes a malicious payload from a remote server, leveraging Python’s `requests` library for in-memory execution.
The obfuscated Python script in entry.txt leverages `exec()` and `marshal.loads()` to execute Python bytecode, which disassembles bytecode, decrypts a binary string using `hybrid_decrypt`, and passes the decrypted bytecode to the `runner` function for execution.
According to Trend Micro, bytecode reveals the malicious intent of the code, which is to deploy an infostealer that is designed to steal sensitive information like credit card details and browser data.
The campaign also targets Facebook Ads Manager accounts to extract financial and business information, potentially enabling the attackers to launch fraudulent advertising campaigns.
NodeStealer’s latest variant targets Facebook Ads Manager accounts, credit card data, and browser information, using sophisticated techniques to evade detection.
To mitigate risks, users should be cautious of suspicious emails, receive cybersecurity training, and maintain up-to-date antivirus software.