Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer that is geared up to completely take over Fb enterprise accounts in addition to siphon cryptocurrency.
Palo Alto Community Unit 42 stated it detected the beforehand undocumented pressure as a part of a marketing campaign that commenced in December 2022.
NodeStealer was first uncovered by Meta in Could 2023, describing it as a stealer able to harvesting cookies and passwords from net browsers to compromise Fb, Gmail, and Outlook accounts. Whereas the prior samples had been written in JavaScript, the most recent variations are coded in Python.
“NodeStealer poses nice threat for each people and organizations,” Unit 42 researcher Lior Rochberger stated. “Apart from the direct impression on Fb enterprise accounts, which is principally monetary, the malware additionally steals credentials from browsers, which can be utilized for additional assaults.”
The assaults begin with bogus messages on Fb that purportedly declare to supply free “skilled” finances monitoring Microsoft Excel and Google Sheets templates, tricking victims to obtain a ZIP archive file hosted on Google Drive.
The ZIP file embeds inside it the stealer executable that, apart from capturing Fb enterprise account info, is designed to obtain further malware similar to BitRAT and XWorm within the type of ZIP recordsdata, disable Microsoft Defender Antivirus, and perform crypto theft through the use of MetaMask credentials from Google Chrome, Cốc Cốc, and Courageous net browsers.
The downloads are achieved by way of a Consumer Account Management (UAC) bypass approach that employs the fodhelper.exe to execute PowerShell scripts that retrieve the ZIP recordsdata from a distant server.
It is value noting that the FodHelper UAC bypass methodology has additionally been adopted by financially motivated risk actors behind the Casbaneiro banking malware to acquire elevated privileges over contaminated hosts.
Unit 42 stated it additional noticed an upgraded Python variant of NodeStealer that goes past credential and crypto theft by implementing anti-analysis options, parsing emails from Microsoft Outlook, and even making an attempt to take over the related Fb account.
As soon as the required info is collected, the recordsdata are exfiltrated via the Telegram API, after which they’re deleted from the machine to erase the path.
NodeStealer additionally joins the likes of malware like Ducktail which might be a part of a rising development of Vietnamese risk actors trying to break into Fb enterprise accounts for promoting fraud and propagating malware to different customers on the social media platform.
The event comes as risk actors have been noticed leveraging WebDAV servers to deploy BATLOADER, which is then used to distribute XWorm as a part of a multi-stage phishing assault.
“Fb enterprise account homeowners are inspired to make use of sturdy passwords and allow multi-factor authentication,” Rochberger stated. “Take the time to supply training to your group on phishing ways, particularly fashionable, focused approaches that play off present occasions, enterprise wants and different interesting matters.”
