New NodeStealer Focusing on Fb Enterprise Accounts and Crypto Wallets

Aug 01, 2023THNCryptocurrency / Malware


Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer that is geared up to completely take over Fb enterprise accounts in addition to siphon cryptocurrency.

Palo Alto Community Unit 42 stated it detected the beforehand undocumented pressure as a part of a marketing campaign that commenced in December 2022.

NodeStealer was first uncovered by Meta in Might 2023, describing it as a stealer able to harvesting cookies and passwords from internet browsers to compromise Fb, Gmail, and Outlook accounts. Whereas the prior samples have been written in JavaScript, the most recent variations are coded in Python.

“NodeStealer poses nice danger for each people and organizations,” Unit 42 researcher Lior Rochberger said. “In addition to the direct influence on Fb enterprise accounts, which is especially monetary, the malware additionally steals credentials from browsers, which can be utilized for additional assaults.”

The assaults begin with bogus messages on Fb that purportedly declare to supply free “skilled” price range monitoring Microsoft Excel and Google Sheets templates, tricking victims to obtain a ZIP archive file hosted on Google Drive.


The ZIP file embeds inside it the stealer executable that, apart from capturing Fb enterprise account info, is designed to obtain extra malware corresponding to BitRAT and XWorm within the type of ZIP information, disable Microsoft Defender Antivirus, and perform crypto theft by utilizing MetaMask credentials from Google Chrome, Cốc Cốc, and Courageous internet browsers.

The downloads are achieved via a Person Account Management (UAC) bypass method that employs the fodhelper.exe to execute PowerShell scripts that retrieve the ZIP information from a distant server.

It is price noting that the FodHelper UAC bypass technique has additionally been adopted by financially motivated risk actors behind the Casbaneiro banking malware to acquire elevated privileges over contaminated hosts.

Unit 42 stated it additional noticed an upgraded Python variant of NodeStealer that goes past credential and crypto theft by implementing anti-analysis options, parsing emails from Microsoft Outlook, and even making an attempt to take over the related Fb account.

As soon as the mandatory info is collected, the information are exfiltrated by the Telegram API, after which they’re deleted from the machine to erase the path.


NodeStealer additionally joins the likes of malware like Ducktail which are a part of a rising development of Vietnamese risk actors seeking to break into Fb enterprise accounts for promoting fraud and propagating malware to different customers on the social media platform.


The event comes as risk actors have been observed leveraging WebDAV servers to deploy BATLOADER, which is then used to distribute XWorm as a part of a multi-stage phishing assault.

“Fb enterprise account house owners are inspired to make use of robust passwords and allow multi-factor authentication,” Rochberger stated. “Take the time to offer schooling in your group on phishing ways, particularly fashionable, focused approaches that play off present occasions, enterprise wants and different interesting matters.”

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.