A new phishing campaign disseminating a Python version of NodeStealer was discovered by Palo Alto Network Unit 42. The malicious code sought to take over Facebook business accounts and siphon money from cryptocurrency wallets.
Experts have been keeping an eye on this threat since December 2022, according to a blog post from August 1, and they have noticed attackers luring victims with phishing emails that offer practical business tools like spreadsheet templates.
NodeStealer is a recent piece of information-stealing malware on Meta that gives hackers access to accounts on numerous platforms, including Facebook, Gmail, and Outlook, as well as the ability to steal browser cookies.
The first variant discovered by Palo Alto Networks is capable of downloading additional malware, disabling Windows Defender via a graphical user interface, and stealing money from the MetaMask cryptocurrency wallet using credentials taken from the Google Chrome, Edge, and Firefox web browsers, among other things.
NodeStealer collects a variety of data about the target, including follower counts, user verification statuses, account credit balances, prepaid account statuses, and information about advertisements.
The second variant, discovered by Unit 42, has additional features such as the capacity to parse emails from Microsoft Outlook, leak data via Telegram, hijack Facebook accounts, and anti-analysis capabilities.
The variant made in-house using Javascript malware and the Node.js environment was made public by Meta in May. As a result, the malware can operate on various operating systems, including Windows, Linux, and macOS. The malware is believed to have come from Vietnam and was spread there by threat actors.
The social network company acted in May to stop the malware campaign and help victims get their accounts back.
NodeStealer can steal browser credentials, which could be used for additional attacks, posing a serious threat to both individuals and organizations.
A download link included in the phishing emails points users to a.zip archive stored on a reputable cloud file storage service, such as Google Drive. An executable that steals information is hidden inside the.zip file.
To protect against NodeStealer and all of its variants, organizations must review their protection policies and pay attention to the indicators of compromise (IoCs) provided by Unit 42, according to Anil Valluri, MD and VP, India and SAARC, Palo Alto Networks. It is crucial to take proactive steps to educate employees about contemporary phishing techniques that take advantage of business requirements, current events, and other alluring topics.