Rectifyq📃Title: Python-Based NodeStealer Version Targets Facebook Ads Manager
📅Date: 2024-12-19
🔗References:
Description
The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro’s MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook Ads Manager accounts, stealing critical financial and business information alongside credit card details and browser data. The infection begins with a spear-phishing email containing a malicious link, which downloads and installs the malware disguised as a legitimate application. Sophisticated techniques like DLL sideloading and encoded PowerShell commands are used to bypass security and execute the final payload, exfiltrating data via Telegram.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: intrusion-analysis
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- producer Trend-Micro
- target-information=“Malaysia”
- sector=“Education”
- malpedia=“NodeStealer”
- malpedia=“Raspberry Robin”
- country=“vietnam”
- mitre-attack-pattern=[‘T1053.005’, ‘T1056.001’, ‘T1114.001’, ‘T1566.002’, ‘T1005’, ‘T1140’, ‘T1041’, ‘T1059.001’, ‘T1547.001’, ‘T1027’, ‘T1071.001’, ‘T1574.002’, ‘T1204.001’, ‘T1059.006’]
MISP event uuid: b84131c5-e0d4-406c-96f6-fd36461f0780
Indicator of Compromise (IoCs)
type,value,comment
sha256, 786db3ddf2a471516c832e44b0d9a230674630c6f99d3e61ada6830726172458, 'No sample in VT\r\nLast check:02/05/2025'
url, https://t.ly/MRAbJ, 'Malicious download link'
url, http://88.216.99.5:15707/entry.txt, ''
Full IOCs available in Rectifyq's MISP```