NodeStealer Malware targets Facebook Ad Accounts and harvesting Credit Card Data.
Threat hunters are warning about an updated version of the Python-based NodeStealer that's now equipped to extract more information from victims Facebook Ads Manager accounts and harvest credit card data stored in web browsers.
https://www.netskope.com/blog/python-nodestealer-targets-facebook-ads-manager-with-new-techniques
#facebook #socialmedia #ads #malware #it #security #privacy #engineer #media #tech #news
![[ImageSource: Netskope Threat Labs]
"We recently found several Python NodeStealer samples that collect budget details of the account using Facebook Graph API," Michael Alcantara explained. "The samples initially generate an access token by logging into adsmanager.facebook[.]com using cookies collected on the victim's machine."
Aside from collecting the tokens and business-related information tied to those accounts, the malware includes a check that's explicitly designed to avoid infecting machines located in Vietnam as a way to evade law enforcement actions, further solidifying its origins.](https://friendica-leipzig.de/photo/preview/600/302336 "[ImageSource: Netskope Threat Labs]
\"We recently found several Python NodeStealer samples that collect budget details of the account using Facebook Graph API,\" Michael Alcantara explained. \"The samples initially generate an access token by logging into adsmanager.facebook[.]com using cookies collected on the victim's machine.\"
Aside from collecting the tokens and business-related information tied to those accounts, the malware includes a check that's explicitly designed to avoid infecting machines located in Vietnam as a way to evade law enforcement actions, further solidifying its origins.")
![[ImageSource: Netskope Threat Labs]
On top of that, certain NodeStealer samples have been found to use the legitimate Windows Restart Manager to unlock SQLite database files that are possibly being used by other processes. This is done so in an attempt to siphon credit card data from various web browsers.
Data exfiltration is achieved using Telegram, underscoring that the messaging platform still continues to be a crucial vector for threat actors despite recent changes to its policy.
Malvertising via Facebook is a lucrative infection pathway, often impersonating trusted brands to disseminate all kinds of malware. This is evidenced by the emergence of a new campaign starting November 3, 2024, that has mimicked the Bitwarden password manager software through Facebook sponsored ads to install a rogue Google Chrome extension.
<https://www.bitdefender.com/en-us/blog/labs/inside-bitdefender-labs-investigation-of-a-malicious-facebook-ad-campaign-targeting-bitwarden-users>](https://friendica-leipzig.de/photo/preview/600/302338 "[ImageSource: Netskope Threat Labs]
On top of that, certain NodeStealer samples have been found to use the legitimate Windows Restart Manager to unlock SQLite database files that are possibly being used by other processes. This is done so in an attempt to siphon credit card data from various web browsers.
Data exfiltration is achieved using Telegram, underscoring that the messaging platform still continues to be a crucial vector for threat actors despite recent changes to its policy.
Malvertising via Facebook is a lucrative infection pathway, often impersonating trusted brands to disseminate all kinds of malware. This is evidenced by the emergence of a new campaign starting November 3, 2024, that has mimicked the Bitwarden password manager software through Facebook sponsored ads to install a rogue Google Chrome extension.
<https://www.bitdefender.com/en-us/blog/labs/inside-bitdefender-labs-investigation-of-a-malicious-facebook-ad-campaign-targeting-bitwarden-users>")
Threat hunters are warning about an updated version of the Python-based NodeStealer that's now equipped to extract more information from victims Facebook Ads Manager accounts and harvest credit card data stored in web browsers.
https://www.netskope.com/blog/python-nodestealer-targets-facebook-ads-manager-with-new-techniques
#facebook #socialmedia #ads #malware #it #security #privacy #engineer #media #tech #news
![[ImageSource: Netskope Threat Labs]
"We recently found several Python NodeStealer samples that collect budget details of the account using Facebook Graph API," Michael Alcantara explained. "The samples initially generate an access token by logging into adsmanager.facebook[.]com using cookies collected on the victim's machine."
Aside from collecting the tokens and business-related information tied to those accounts, the malware includes a check that's explicitly designed to avoid infecting machines located in Vietnam as a way to evade law enforcement actions, further solidifying its origins.](https://nerdculture.de/system/media_attachments/files/113/543/801/247/637/214/original/8f9c7aab48f850ec.png "[ImageSource: Netskope Threat Labs]
\"We recently found several Python NodeStealer samples that collect budget details of the account using Facebook Graph API,\" Michael Alcantara explained. \"The samples initially generate an access token by logging into adsmanager.facebook[.]com using cookies collected on the victim's machine.\"
Aside from collecting the tokens and business-related information tied to those accounts, the malware includes a check that's explicitly designed to avoid infecting machines located in Vietnam as a way to evade law enforcement actions, further solidifying its origins.")
![[ImageSource: Netskope Threat Labs]
On top of that, certain NodeStealer samples have been found to use the legitimate Windows Restart Manager to unlock SQLite database files that are possibly being used by other processes. This is done so in an attempt to siphon credit card data from various web browsers.
Data exfiltration is achieved using Telegram, underscoring that the messaging platform still continues to be a crucial vector for threat actors despite recent changes to its policy.
Malvertising via Facebook is a lucrative infection pathway, often impersonating trusted brands to disseminate all kinds of malware. This is evidenced by the emergence of a new campaign starting November 3, 2024, that has mimicked the Bitwarden password manager software through Facebook sponsored ads to install a rogue Google Chrome extension.
<https://www.bitdefender.com/en-us/blog/labs/inside-bitdefender-labs-investigation-of-a-malicious-facebook-ad-campaign-targeting-bitwarden-users>](https://nerdculture.de/system/media_attachments/files/113/543/801/854/620/038/original/d2a5cca00b79cd0a.png "[ImageSource: Netskope Threat Labs]
On top of that, certain NodeStealer samples have been found to use the legitimate Windows Restart Manager to unlock SQLite database files that are possibly being used by other processes. This is done so in an attempt to siphon credit card data from various web browsers.
Data exfiltration is achieved using Telegram, underscoring that the messaging platform still continues to be a crucial vector for threat actors despite recent changes to its policy.
Malvertising via Facebook is a lucrative infection pathway, often impersonating trusted brands to disseminate all kinds of malware. This is evidenced by the emergence of a new campaign starting November 3, 2024, that has mimicked the Bitwarden password manager software through Facebook sponsored ads to install a rogue Google Chrome extension.
<https://www.bitdefender.com/en-us/blog/labs/inside-bitdefender-labs-investigation-of-a-malicious-facebook-ad-campaign-targeting-bitwarden-users>")
Python NodeStealer Targets Facebook Ads Manager with New Techniques - Netskope
Summary In September 2023, Netskope Threat Labs reported a Python-based NodeStealer targeting Facebook business accounts. NodeStealer collects FacebookJan Michael Alcantara (Netskope)
