Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer that is geared up to totally take over Fb enterprise accounts in addition to siphon cryptocurrency.
Palo Alto Community Unit 42 mentioned it detected the beforehand undocumented pressure as a part of a marketing campaign that commenced in December 2022.
NodeStealer was first uncovered by Meta in Might 2023, describing it as a stealer able to harvesting cookies and passwords from internet browsers to compromise Fb, Gmail, and Outlook accounts. Whereas the prior samples had been written in JavaScript, the most recent variations are coded in Python.
“NodeStealer poses nice danger for each people and organizations,” Unit 42 researcher Lior Rochberger mentioned. “In addition to the direct affect on Fb enterprise accounts, which is principally monetary, the malware additionally steals credentials from browsers, which can be utilized for additional assaults.”
The assaults begin with bogus messages on Fb that purportedly declare to supply free “skilled” finances monitoring Microsoft Excel and Google Sheets templates, tricking victims to obtain a ZIP archive file hosted on Google Drive.
The ZIP file embeds inside it the stealer executable that, in addition to capturing Fb enterprise account data, is designed to obtain further malware similar to BitRAT and XWorm within the type of ZIP recordsdata, disable Microsoft Defender Antivirus, and perform crypto theft by utilizing MetaMask credentials from Google Chrome, Cốc Cốc, and Courageous internet browsers.
The downloads are completed by way of a Consumer Account Management (UAC) bypass approach that employs the fodhelper.exe to execute PowerShell scripts that retrieve the ZIP recordsdata from a distant server.
It is value noting that the FodHelper UAC bypass technique has additionally been adopted by financially motivated menace actors behind the Casbaneiro banking malware to acquire elevated privileges over contaminated hosts.
Unit 42 mentioned it additional noticed an upgraded Python variant of NodeStealer that goes past credential and crypto theft by implementing anti-analysis options, parsing emails from Microsoft Outlook, and even trying to take over the related Fb account.
As soon as the mandatory data is collected, the recordsdata are exfiltrated by means of the Telegram API, after which they’re deleted from the machine to erase the path.
NodeStealer additionally joins the likes of malware like Ducktail which might be a part of a rising development of Vietnamese menace actors trying to break into Fb enterprise accounts for promoting fraud and propagating malware to different customers on the social media platform.
The event comes as menace actors have been noticed leveraging WebDAV servers to deploy BATLOADER, which is then used to distribute XWorm as a part of a multi-stage phishing assault.
“Fb enterprise account homeowners are inspired to make use of sturdy passwords and allow multi-factor authentication,” Rochberger mentioned. “Take the time to offer training on your group on phishing ways, particularly fashionable, focused approaches that play off present occasions, enterprise wants and different interesting subjects.”