{
  "name": "Python-Based NodeStealer Version Targets Facebook Ads Manager",
  "slug": "python-based-nodestealer-version-targets-facebook-ads-manager",
  "description": "The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook Ads Manager accounts, stealing critical financial and business information alongside credit card details and browser data. The infection begins with a spear-phishing email containing a malicious link, which downloads and installs the malware disguised as a legitimate application. Sophisticated techniques like DLL sideloading and encoded PowerShell commands are used to bypass security and execute the final payload, exfiltrating data via Telegram.",
  "published": "2024-12-19T11:56:34+00:00",
  "created_at": "2024-12-19T11:56:34+00:00",
  "modified_at": "2024-12-19T12:39:36+00:00",
  "created_at_opencti": "2024-12-19T11:56:34+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-12-19",
    "data exfiltration",
    "dll sideloading",
    "facebook ads manager",
    "infostealer",
    "nodestealer",
    "python",
    "spear-phishing",
    "telegram"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "f813da93eed9c536154a6da5f38462bfb4ed80c85dd117c3fd681cf4790fbf71"
      },
      {
        "id": "",
        "name": "ed1c48542a3e58020bd624c592f6aa7f7868ee16fbb03308269d44c4108011b1"
      },
      {
        "id": "",
        "name": "786db3ddf2a471516c832e44b0d9a230674630c6f99d3e61ada6830726172458"
      },
      {
        "id": "",
        "name": "1c9c7bb07acb9d612af2007cb633a6b1f569b197b1f93abc9bd3af8593e1ec66"
      },
      {
        "id": "",
        "name": "0b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:7cd451c52c8af256",
        "name": "NodeStealer",
        "slug": "nodestealer"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c7a66e55-9c07-4dbb-a96a-cd536bbc6b0e",
        "name": "Vietnamese threat group",
        "slug": "vietnamese-threat-group"
      }
    ],
    "attack_patterns": [
      {
        "id": "25792a4b-d837-4423-bb77-e15f98c9b0f9",
        "name": "T1114.001"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Malaysia"
      },
      {
        "id": "",
        "name": "Education"
      }
    ]
  },
  "external_refs": [
    "https://www.trendmicro.com/en_us/research/24/l/python-based-nodestealer.html",
    "https://otx.alienvault.com/pulse/676418026e68c8c9a7e3c605"
  ]
}