Threat Research

“Python NodeStealer Unveils Advanced Techniques to Target Facebook Ads Manager”

Netskope

Netskope Threat Labs described NodeStealer, a Python-based infostealer that targets Facebook business accounts and Facebook Ads Manager to harvest credentials, cookies, and other sensitive data. The malware also exfiltrates credit card and Ads Manager budget details, uses Windows Restart Manager and junk-code obfuscation to evade detection, and sends stolen data via Telegram. #NodeStealer #FacebookAdsManager

Keypoints

  • NodeStealer targets Facebook business accounts and collects browser credentials and cookie data.
  • New variants extract budget details from Facebook Ads Manager accounts.
  • Can steal credit card information in addition to browser-stored credentials.
  • Uses Windows Restart Manager to unlock locked browser database files for access.
  • Implements junk code to increase executable size and evade detection.
  • Employs batch scripts to dynamically generate and execute the Python payload.
  • Exfiltrates stolen data via Telegram, including victim IP address and hostname.

MITRE Techniques

  • [T1003] Credential Dumping – Collects credentials stored in browsers and cookies (‘Collects credentials stored in browsers and cookies.’)
  • [T1213] Data from Information Repositories – Targets Facebook Ads Manager to collect budget details (‘Targets Facebook Ads Manager to collect budget details.’)
  • [T1203] Exploitation for Client Execution – Uses Windows Restart Manager to unlock database files (‘Uses Windows Restart Manager to unlock database files.’)
  • [T1486] Data Encrypted for Impact – Exfiltrates data using Telegram (‘Exfiltrates data using Telegram.’)
  • [T1027] Obfuscated Files or Information – Adds junk code to evade detection (‘Adds junk code to evade detection.’)
  • [T1071] Command and Control – Utilizes Telegram for data exfiltration (‘Utilizes Telegram for data exfiltration.’)

Indicators of Compromise

  • [None reported] Article did not list specific IOCs – No IP addresses, file hashes, domains, or filenames were provided.

Read more: https://www.netskope.com/blog/python-nodestealer-targets-facebook-ads-manager-with-new-techniques

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint