- Security researchers at Netskope have found an improved version of Python NodeStealer
- This dangerous info stealer can now also target Facebook Ads Manager accounts
- It can steal credit card information, data stored in browsers and more
Python NodeStealer, a notorious infostealer that targeted Facebook Business accounts, has been upgraded with new and dangerous features to also allow it to target Facebook Ads Manager accounts, stealing more data and thus opening the gateway to more destructive malware campaigns.
Cybersecurity researchers Netskope Threat Labs have published a new in-depth analysis of NodeStealer, noting that it can now steal credit card information, in addition to stealing login credentials stored in the browser.
The process is performed by copying the “web data” of all targeted browsers, they explained. Web Data is a SQLite database that stores sensitive data, such as autofill information and saved payment methods.
Abuse of Windows Restart Manager
“This now allows the infostealer to collect the victim’s credit card information, including the cardholder’s name, card expiration date, and card number,” the researchers said.
It uses Python’s SQLite3 library to query the stolen database, looking for specific strings (credit card details).
Additionally, Python NodeStealer now uses Windows Restart Manager to unlock database files. This library reduces the number of restarts required after software updates by simply restarting the processes that lock updated files, but in this case it is exploited in data theft.
First, the infostealer extracts the information by copying browser database files to a temporary folder. But because the files are usually locked by some other operation, they cannot be used, and that is where Windows Restart Manager comes in. Finally, the files are exfiltrated via a Telegram bot.
Python NodeStealer is most likely being developed by a threat actor in Vietnam. Their main goal is to compromise Facebook Business and now Facebook Ads Manager accounts, which they can later exploit in malvertising campaigns.
Facebook is typically strict when it comes to buying ads on its platform, and only vetted, verified accounts are allowed to do so. Scammers rarely make it past the platform’s scanners and instead resort to stealing verified accounts to run their campaigns.
Via The hacker news