Crypto Wallets and Facebook Business Account under Threat of NodeStealer

Cybersecurity experts have discovered a Python version of the NodeStealer malware, which can entirely hijack Facebook business accounts and steal cryptocurrency. Palo Alto Network Unit 42 found this previously unknown variant as part of a campaign that began in December 2022.

Revealing NodeStealer

Unit 42 researcher Lior Rochberger warned that NodeStealer poses significant risks for both individuals and organizations. In addition to impacting Facebook business accounts financially, the malware steals credentials from web browsers, which could lead to further attacks.

Initially, NodeStealer was exposed by Meta in May 2023, identified as a stealer that can collect cookies and passwords from web browsers to compromise Facebook, Gmail, and Outlook accounts. While earlier samples were written in JavaScript, the latest versions now use Python.

Anomaly of attack

• The attack starts with deceptive messages on Facebook, offering free “professional” budget tracking Microsoft Excel and Google Sheets templates. 
• Victims are tricked into downloading a ZIP archive file hosted on Google Drive containing the stealer executable. Apart from capturing Facebook business account details, the malware is designed to download other malicious software, like BitRAT and XWorm, in ZIP file format. 
• It also disables Microsoft Defender Antivirus and engages in crypto theft using MetaMask credentials from Google Chrome, Cốc Cốc, and Brave web browsers.

What else does it do?

To accomplish these downloads, NodeStealer utilizes a User Account Control (UAC) bypass technique, utilizing fodhelper.exe to execute PowerShell scripts that retrieve ZIP files from a remote server. 

Source: Unit42

The FodHelper UAC bypass method was previously used by financially motivated threat actors linked to the Casbaneiro banking malware to gain elevated privileges on infected machines.

Source: Fodhelper

In addition, Unit 42 identified an upgraded Python variant of NodeStealer with additional capabilities. This version includes anti-analysis features, extracts emails from Microsoft Outlook, and even attempts to take over the associated Facebook account.

Once the necessary information is gathered, the files are exfiltrated through the Telegram API, and then deleted from the system to remove any traces of the attack.

NodeStealer is part of a larger trend involving Vietnamese threat actors targeting Facebook business accounts for advertising fraud and spreading malware to others on the platform, similar to malware like Ducktail.

🚨 Ducktail-Malware Alert on LinkedIn! 🚨

a warning piqued my curiosity about the malware behind a scam warning on LinkedIn – enter #Ducktail-Malware. 1/n pic.twitter.com/es12wK9weE

— David Eckel (@mcdave2k1) June 27, 2023

Lastly…

To remain vigilant, avoid suspicious links, and download files from unauthorized sources is what we must do. Being informed about the latest trends is also necessary in today’s evolving threat landscape. Moving with digital assets under security is the key!