A new information-stealing malware, named NodeStealer, has been discovered by Facebook. It can steal browser cookies to hijack accounts on the platform, as well as Outlook and Gmail accounts. Furthermore, it allows its operator to bypass 2FA.
About the campaign
Facebook's engineers spotted the NodeStealer malware first in late January and linked the attacks to Vietnamese threat actors.
- Cybercriminals aim to hijack the Facebook account's ability to run advertising campaigns and push misinformation or lead audiences to sites spreading malware.
- The malware can steal cookies, along with account credentials stored in popular web browsers, including Google Chrome, Bave, Edge, and Opera.
- NodeStealer spreads as a Windows executable file (46–51 MB in size), impersonating a PDF or Excel document with an appropriate name to raise curiosity among the users.
Features of NodeStealer
The malware is written in JavaScript and executes using Node[.]js, which allows the malware to run on multiple OS.
- This also adds stealthiness to the malware with nearly all AV engines on VirusTotal failing to flag the stealer as malicious.
- After the launch, it uses the Node[.]js auto-launch module and adds a new registry key for persistence between reboots.
Reconnaissance and escaping detection
Data is encrypted on the browsers' SQLite database. However, NodeStealer has implemented a reverse encryption mechanism, by obtaining the Base64-encoded decryption key from the Chromium Local State file.
- If the stealer finds cookies/credentials of the Facebook accounts, it begins the account reconnaissance phase, wherein it abuses the Facebook API to extract details about breached accounts.
- To bypass Facebook's anti-abuse systems, the stealer hides these requests behind the victim's IP address and uses cookie values and system configuration to present itself as a genuine user.
Conclusion
Facebook has already taken action against the NodeStealer campaign and disrupted the attacks. However, social media users are suggested to stay vigilant and aware of such threats. Further, the tech firm has provided IOCs related to NodeStealer and other malware, which can be leveraged by organizations to stay protected.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/dd53_shutterstock_2271822187.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/83dc_shutterstock_2063229158.jpg)
