Python-Based NodeStealer Version Targets Facebook Ads Manager
Essential information
- Published
- 19/12/2024 12:56
- Modified
- 19/12/2024 13:39
- Tags
- 2024-12-19 data exfiltration dll sideloading facebook ads manager infostealer nodestealer python spear-phishing telegram
- Related entities
- 5 observables, 1 intrusion sets (apt), 13 techniques (mitre), 1 malware, 2 others
Description
The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook Ads Manager accounts, stealing critical financial and business information alongside credit card details and browser data. The infection begins with a spear-phishing email containing a malicious link, which downloads and installs the malware disguised as a legitimate application. Sophisticated techniques like DLL sideloading and encoded PowerShell commands are used to bypass security and execute the final payload, exfiltrating data via Telegram.