Summary
In September 2023, Netskope Threat Labs reported a Python-based NodeStealer targeting Facebook business accounts. NodeStealer collects Facebook and other credentials stored in the browser and its cookie data. For over a year, we have tracked and discovered multiple variants of this infostealer. It is now targeting new victims and extracting new information using new techniques. In this blog post, we will dissect the development of the Python NodeStealer from multiple samples in the wild. Each section highlights different variants, showcasing new targets and techniques.
Key Findings
- The new Python NodeStealer variants target new information from victims. They collect budget details of Facebook Ads Manager accounts of their victims, which might be a gateway for Facebook malvertisement.
- NodeStealer now pilfers credit card information in addition to stealing credentials stored in browsers.
- New techniques used by NodeStealer include using Windows Restart Manager to unlock browser database files, adding junk code, and using a batch script to dynamically generate and execute the Python script.
The remainder of this blog post is divided into six sections, each highlighting a specific behavior we observed in one or more of the NodeStealer samples we analyzed. In addition to providing details about the behavior itself, we’ll dig into common characteristics of the samples that exhibit that behavior.
Facebook Ads Manager
A subset of the new NodeStealer samples we analyzed targeted Facebook Ads Manager accounts. Facebook Ads Manager is a tool to manage advertisement campaigns in several social media platforms like Facebook and Instagram. For at least the past year, NodeStealer has been targeting Facebook Business accounts, collecting login credentials, cookies, and saved credentials. These new samples still target the same data, but now also target Facebook Ads Manager. We suspect the reason for targeting Ads Manager accounts is to leverage the stolen accounts to create malicious Facebook ads.
We recently found several Python NodeStealer samples that collect budget details of the account using Facebook Graph API. The samples initially generate an access token by logging into adsmanager.facebook.com using cookies collected on the victim’s machine.
Once the token is collected, the samples collect general information about businesses linked to the account by sending a GET request to the businesses endpoint of Graph API, saving the results to a file named “data.txt” in the TEMP folder.
Next, they collect more information about the account by sending a GET request to the Ad Accounts endpoint of Graph API, appending the information to the previously mentioned text file.
The table below shows the Facebook Ads Manager account details targeted by the attacker.
Variable Name | Description |
---|---|
idtkqc | Account ID |
name | Account Name |
tiente (currency) | Account currency |
qg | Country Code |
limit | Total daily amount that can be spent on ads |
adspaymentcycle | Amount that can be spent on ads |
duno | Cap for total amount spent on a campaign |
trangthai | Amount status |
dachitieu | Amount spent |
The attacker targeting Facebook Ads Manager accounts likely speak Vietnamese and are targeting victims outside their country. Some of the strings in the malware are in Vietnamese, and the malware actively avoids targeting victims in Vietnam by checking the victim’s country code using ipinfo. The Python script exits if the country code of the victim is “VN”. Cyber criminals avoid targeting victims in their own countries to sidestep legal repercussions and stay ahead of law enforcement.