A new malware called NodeStealer was observed in late January targeting saved usernames and passwords in browsers, with the aim of compromising businesses' Gmail, Outlook and Facebook accounts.
Researchers with Meta on Wednesday said that the malware was likely being distributed by threat actors in Vietnam and was being deployed via Windows executables disguised as PDF files with filenames relating to marketing, social media planning and monthly budgets.
“We identified NodeStealer early – within two weeks of it being deployed – and took action to disrupt it and help people who may have been targeted to recover their accounts,” said Duc H. Nguyen, malware analysis engineer with Meta and Ryan Victory, malware discovery and detection engineer with Meta on Wednesday. “As part of this effort, we submitted takedown requests to third-party registrars, hosting providers, and application services such as Namecheap, which were targeted by these threat actors to facilitate distribution and malicious operations.”
The malware was executed using the Node.js open source Javascript runtime environment, typically used to develop web applications. The platform has been abused by cybercriminals in past, including by attackers in 2018 to steal from cryptocurrency wallets and in 2021 to install a credential stealing backdoor.
After execution, the malware used the auto-launch module on Node.js to establish persistence. It then stole stored credentials and cookie session data from various browsers (Chrome, Opera, Edge and Brave) on victim computers, by referencing the file paths to access files storing cookies and credentials for various sites and decrypting this data.
“If a Facebook session cookie is found, the malware starts reading data from the ‘Login Data’ file, which is an SQLite database containing saved usernames and Passwords,” said researchers. “The malware specifically targets user credentials for Facebook, Gmail, and Outlook. We hypothesize that the malware steals email credentials to compromise the user’s contact point and potentially to access other online accounts connected to that email account.”
For some Facebook accounts, the threat actors would use the accounts’ business advertising function to run unauthorized ads. The malware also exfiltrated all data to the command-and-control (C2) server. Meta has identified and reported the malware C2 domain registered to Namecheap, and it no longer resolves.
Since its attempts to disrupt the campaign, Meta has not seen any new samples of the NodeStealer malware since Feb. 27. Previously, Meta has cracked down on a number of threat actors leveraging its platforms in their attacks, including an espionage operation where attackers used various social engineering tactics on social media platforms like Facebook with the end goal of deploying malware on victim devices, as well as two cyberespionage groups from Iran that were using a variety of methods to target academics, activists, journalists and other victims.
On Wednesday, Meta said that many threat actors behind new malware families are getting more savvy at avoiding detection and developing effective social engineering strategies. Many of the threat actors are using popular tools, for instance, posing as ChatGPT browser extensions or productivity tools in order to target file-sharing services like Dropbox, Google Drive, Microsoft OneDrive and iCloud, with the aim of compromising businesses with access to ad accounts. Meta on Wednesday said that since March it has detected nearly 10 new malware families using ChatGPT-related lures to compromise accounts across the Internet, and the company has blocked over 1,000 unique ChatGPT-themed malicious URLs from being shared on Facebook.
“We’ve identified these malware operations at different stages of their lifecycle and have already seen rapid adversarial adaptation in response to our detection, including some of them choosing to shift their initial targeting elsewhere on the Internet,” said researchers.