@ducklah 5 May 2023

Threat Actor

Vietnam-based

Description

Newly discovered malware - NodeStealer gains access to user information by making requests from the targeted user's computer to the APIs used by Facebook web and mobile apps, which masquerades its activity behind the user's actual IP address, cookie values, and system configuration - appearing like a legitimate user and their session. The stole information enables threat actors to assess and use users' advertising accounts to run unauthorized ads.

According to Meta (Facebook), NodeStealer targeted internet browsers on Windows with the goal of stealing cookies and saved usernames and passwords to ultimately compromise Facebook, Gmail, and Outlook accounts. NodeStealer is custom-written in JavaScript and bundles the Node.js environment. The malware is of Vietnamese origin and distributed by threat actors from Vietnam.

Meta identified NodeStealer early – within two weeks of it being deployed – and took action to disrupt it and help people who may have been targeted recover their accounts. As part of this effort, we submitted takedown requests to third-party registrars, hosting providers, and application services such as Namecheap, which were targeted by these threat actors to facilitate distribution and malicious operations. These actions led to a successful disruption of the malware. Meta has not observed any new samples of malware in the NodeStealer family since February 27 of this year and continues monitoring for any potential future activity.

NodeStealer samples are typically disguised as PDF and XLSX files with an appropriate corresponding icon and a filename meant to trick people into opening malicious files. This tactic makes it difficult for people to see that they are opening a potentially malicious executable instead of an innocuous document.

A screenshot of VirusTotal scanning results at the time of detection.

An example of file metadata.

Threat Indicators: These indicators are available in machine-readable formats on our Malware Detection repository on GitHub → https://github.com/facebook/malware-detection

Based on publicly available information, the malware C2 domain was registered with Namecheap on December 27th, 2022. At the time of this analysis, the domain name resolved to the OVH VPS IP 15[.]235[.]187[.]170. We also observed a published DNS mail exchange (MX) record on that domain using Namecheap’s “Private Email” service. The C2 server appears to be a Node.js “Express”-based web application hosted by Nginx, judging by the server’s response header values.

Reference

https://engineering.fb.com/2023/05/03/security/malware-nodestealer-ducktail/ https://github.com/facebook/malware-detection https://www.bleepingcomputer.com/news/security/facebook-disrupts-new-nodestealer-information-stealing-malware/