The malware threat landscape: NodeStealer, DuckTail, and more

Security researchers detail persistent malware campaigns like NodeStealer and Ducktail that abuse browser extensions, ads, and social media to compromise business accounts and run unauthorized ads. They describe how these custom families persist, steal browser data, and exfiltrate data to a hard-coded C2 while adapting to takedowns. #NodeStealer #Ducktail

Keypoints

Ducktail and other campaigns target business users across multiple internet services (social platforms, ad networks, file-sharing, and hosting) to weather takedowns on any single service.
Ducktail’s evolution includes expanding platform targets (LinkedIn, major browsers, file-hosting), and, in its latest iteration, automatically granting ad-related permissions to accelerate operations before blocks.
Malware lures leverage trending topics (notably OpenAI’s ChatGPT, Bard, TikTok marketing) to entice users into downloading malicious extensions or software hosted on various services.
NodeStealer is a custom, JavaScript/Node.js-based malware designed to steal cookies and saved credentials from Chromium-based browsers to compromise Facebook, Gmail, and Outlook accounts.
NodeStealer’s persistence relies on a Run-key in the registry, and its data theft workflow decrypts browser data using a Local State key and win32crypt, then exfiltrates data to a hard-coded C2 server.
Exfiltration is performed via HTTP requests to a C2 domain (and related avatar URL) with Base64-encoded payloads, highlighting how attackers blend in with a victim’s session and IP
Defensive actions include public indicators, takedowns via registrars/hosts, cease-and-desist actions, and ongoing product/security improvements to raise the cost and lifecycle of malware campaigns.

MITRE Techniques

[T1547.001] Boot or Logon Autostart Execution – The malware adds a Run key to execute on startup. ‘In this example, there is a new registry key added under “HKCUSoftwareMicrosoftWindowsCurrentVersionRun<current file name>” to execute the malware upon startup.’
[T1555.003] Credentials from Web Browsers – The malware steals cookies and saved usernames/passwords from Chromium-based browsers and decrypts them to access Facebook, Gmail, and Outlook. ‘The malware then decrypts the sensitive data from the browser data stores… It will read the encrypted_key from the “Local State” file, Base64 decode it, and retrieve the decryption key by using the win32crypt Node.js library.’
[T1041] Exfiltration – The malware exfiltrates all stolen data to the C2 server, aggregates it into JSON, Base64 encodes, and transmits via an HTTP GET with the data in the Authorization header. ‘The malware aggregates the stolen data in a JSON object which is then Base64 encoded… makes a GET request to: hxxps://bot2q.advertiser-noreplysupport[.]dev/avatar.png, with the Base64 data placed in the “Authorization” HTTP header.’
[T1087] Account Discovery – The malware enumerates Facebook advertising account information by making API requests from the victim’s environment, masquerading as the legitimate user session. ‘The malware gains access to this information by making requests from the targeted user’s computer to the APIs used by our Facebook web and mobile apps…’
[T1036] Masquerading – The campaign uses cloaking to evade automated ad review systems and other defenses, attempting to appear legitimate and to dodge detection. ‘Similar to Ducktail, we’ve seen blocking and public reporting… they use cloaking in an attempt to circumvent automated ad review systems.’

Indicators of Compromise

[Domain] bot2q.advertiser-noreplysupport.dev – C2 domain used by malware to exfiltrate data.
[Domain] advertiser-noreplysupport.dev – related domain involved in C2 infrastructure.
[IP Address] 15.235.187.170 – OVH VPS IP to which the C2 domain resolved.
[URL] https://bot2q.advertiser-noreplysupport.dev/avatar.png – URL used to transmit exfiltrated data in a Base64 payload.
[File] NodeStealer.exe disguised as PDF – Windows executable used for the malware’s delivery/execution vector.