Python-Based NodeStealer Version Targets Facebook Ads Manager

Dec. 19, 2024, 1:39 p.m.

Description

The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook Ads Manager accounts, stealing critical financial and business information alongside credit card details and browser data. The infection begins with a spear-phishing email containing a malicious link, which downloads and installs the malware disguised as a legitimate application. Sophisticated techniques like DLL sideloading and encoded PowerShell commands are used to bypass security and execute the final payload, exfiltrating data via Telegram.

External References

https://www.trendmicro.com/en_us/research/24/l/python-based-nodestealer.html
https://otx.alienvault.com/pulse/676418026e68c8c9a7e3c605
Tags
python
infostealer
dll sideloading
data exfiltration
telegram
spear-phishing
2024-12-19
nodestealer
facebook ads manager

Date

  • Created: Dec. 19, 2024, 12:56 p.m.
  • Published: Dec. 19, 2024, 12:56 p.m.
  • Modified: Dec. 19, 2024, 1:39 p.m.

Indicators

  • f813da93eed9c536154a6da5f38462bfb4ed80c85dd117c3fd681cf4790fbf71
  • ed1c48542a3e58020bd624c592f6aa7f7868ee16fbb03308269d44c4108011b1
  • 786db3ddf2a471516c832e44b0d9a230674630c6f99d3e61ada6830726172458
  • 1c9c7bb07acb9d612af2007cb633a6b1f569b197b1f93abc9bd3af8593e1ec66
  • 0b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118
Download all indicators here!

Attack Patterns

  • NodeStealer
  • Vietnamese threat group

Additional Informations

  • Education
  • Malaysia