Full Report
Threat hunters are warning about an updated version of the Python-based NodeStealer that's now equipped to extract more information from victims' Facebook Ads Manager accounts and harvest credit card data stored in web browsers. "They collect budget details of Facebook Ads Manager accounts of their victims, which might be a gateway for Facebook malvertisement," Netskope Threat Labs researcher
Analysis Summary
# Tool/Technique: NodeStealer (Updated Version)
## Overview
NodeStealer is an evolving malware, currently in a Python-based iteration, primarily designed to hijack victims' Facebook accounts, specifically targeting data from Facebook Ads Manager and web browser credential stores, including credit card information. The ultimate goal appears to be enabling sophisticated malvertising campaigns.
## Technical Details
- Type: Malware family (Stealer)
- Platform: Windows (implied by use of Windows Restart Manager)
- Capabilities: Information theft (Facebook Ads data, browser cookies, credit card data), evasion techniques, Telegram exfiltration.
- First Seen: First publicly documented in May 2023 (as JavaScript malware); the Python version is the subject of the updated analysis.
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Implied, uses Telegram)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Adding junk code)
- TA0001 - Initial Access (Context suggests propagation via malvertising)
- T1588.002 - Obtain Capabilities: Tool
- TA0009 - Collection
- T1555.003 - Credentials from Web Browsers
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (Implied by batch execution of Python script)
## Functionality
### Core Capabilities
- **Facebook Data Harvesting:** Collects budget details from Facebook Ads Manager accounts, leveraging collected browser cookies to generate access tokens via `adsmanager.facebook[.]com` and interact with the Facebook Graph API.
- **Browser Stealing:** Aims to siphon credit card data stored in various web browsers.
- **Evasion:** Incorporates junk code into the Python script and uses a batch script for dynamic execution.
- **Geo-Fencing:** Explicitly checks for and avoids infecting machines located in Vietnam to evade local law enforcement.
### Advanced Features
- **Browser Database Unlocking:** Uses the legitimate **Windows Restart Manager** utility to unlock SQLite database files used by browsers, facilitating data access.
- **Exfiltration via Telegram:** Uses the Telegram messaging platform for data exfiltration, leveraging it as a key vector.
## Indicators of Compromise
- File Hashes: [Not provided in the source]
- File Names: [Not provided in the source]
- Registry Keys: [Not provided in the source]
- Network Indicators: Utilizes `adsmanager.facebook[.]com` for initial token generation; uses Telegram for exfiltration.
- Behavioral Indicators:
- Execution of Python scripts dynamically generated via a batch file.
- Use of `RstrtMgr.dll` or associated Restart Manager functions to unlock proprietary database files.
- Communication flows potentially linking to Telegram services for data uploads.
## Associated Threat Actors
- Assessed to be developed by **Vietnamese threat actors** who focus on hijacking Facebook advertising and business accounts.
## Detection Methods
- Signature-based detection: Signature creation based on finalized Python artifacts (needs hash/signature definition).
- Behavioral detection: Monitoring for the execution of batch scripts that launch Python scripts, specific API calls related to Windows Restart Manager targeting SQLite files, and outbound communication to Telegram endpoints.
- YARA rules: [Not available in the source]
## Mitigation Strategies
- **Principle of Least Privilege:** Restricting application permissions to prevent unauthorized access to browser data directories and SQLite files.
- **Endpoint Detection & Response (EDR):** Monitoring for suspicious process lineage (batch script spawning Python) and unusual use of system utilities like Windows Restart Manager by non-standard executables.
- **Security Training:** Educating users about the dangers of malvertising campaigns that mimic legitimate software (e.g., the noted Bitwarden campaign).
- **Geographical Restrictions:** While the malware avoids Vietnam, general geographical restrictions should not be relied upon as evasion tactics evolve.
## Related Tools/Techniques
- Python-based stealers targeting web browsers and social media platforms.
- Malvertising used as an Initial Access vector (e.g., impersonating Bitwarden).
- Use of legitimate system tools (Living Off the Land Binaries) like Windows Restart Manager for malicious purposes.