New Variants of NodeStealer Found Infecting Facebook Business Accounts

Attack process

• Threat actors used multiple Facebook business pages and user profiles to post materials related to the respective businesses.
• These posts lured victims to download a link from known cloud file storage providers. 
• After clicking on the link, a .zip file was downloaded which resulted in the execution of NodeStealer.

About the variants

• Written in Python language, the NodeStealer variants come with the ability to steal users’ information by taking complete control over Facebook Business accounts. 
• These variants can download additional malware, pilfer browser data, and maximize financial gain by stealing Metamask credentials from Chrome, Cốc Cốc, and Brave browsers. 
• They include several anti-analysis capabilities such as disabling Windows Defender to stay under the radar during the infection process.

Attribution 

• Researchers suspect Vietnam-based threat actors behind the new NodeStealer variants. The claims are based on the Python scripts written in Vietnamese. 
• The second indication is that the attackers are known for targeting the Cốc Cốc browser that is widely used in Vietnam. 
• In addition to the above, the attackers attempt to purchase an online mailbox service from two different Vietnamese websites - a feature associated with the second variant of NodeStealer.

Conclusion