Facebook has discovered a new information-stealing malware distributed on Meta called “NodeStealer”, allowing threat actors to steal browser cookies to hijack accounts on the platform, as well as Gmail and Outlook accounts.

Capturing cookies containing valid user session tokens is a tactic that is gaining popularity among cybercriminals, as it allows them to hijack accounts without having to steal credentials or interact with the target while bypassing protections two-factor authentication.

As Facebook’s security team explains in a new blog post, it identified NodeStealer early in its distribution campaign, just two weeks after its initial rollout. The company has since halted the operation and helped affected users recover their accounts.

NodeStealer steals your accounts

Facebook engineers first spotted the NodeStealer malware in late January 2023, attributing the attacks to Vietnamese actors.

The malware is called NodeStealer, because it is written in JavaScript and executed via Node.js.

Node.js makes the malware able to run on Windows, macOS, and Linux, and it’s also the source of its stealthiness, with almost all AV engines on VirusTotal not marking it as malicious at the time.

NodeStealer VT scan results
NodeStealer VT scan results (Facebook)

NodeStealer is distributed as a 46-51MB Windows executable disguised to appear as an appropriately named PDF or Excel document to arouse the curiosity of the recipient.

On launch, it uses the Node.js auto-launch module and adds a new registry key to establish persistence on the victim’s machine between reboots.

Establish perseverance
Establish perseverance (Facebook)

The main goal of the malware is to steal cookies and account credentials for Facebook, Gmail and Outlook, stored in Chromium-based web browsers such as Google Chrome, Microsoft Edge, Brave, Opera, etc.

Scan on specific file paths for valuable data
Scan on specific file paths for valuable data (Facebook)

This data is normally encrypted on the browsers SQLite database; however, reversing this encryption is a trivial process performed by all modern information thieves, who simply retrieve the base64-encoded decryption key from Chromium’s “Local State” file.

Extraction and decryption of cookies
Extraction and decryption of cookies (Facebook)

If NodeStealer finds cookies or identifiers linked to Facebook accounts, it enters the next phase, “account reconnaissance”, during which it abuses the Facebook API to extract information about the hacked account.

To evade detection by Facebook’s anti-abuse systems, NodeStealer hides these requests behind the victim’s IP address and uses their cookie values ​​and system configuration to appear as a real user.

The key information sought by the malware is the Facebook account’s ability to run advertising campaigns, which threat actors exploit to spread misinformation or drive unsuspecting audiences to other malware distribution sites.

This is the same tactic followed by similar malware strains also covered in Facebook’s Latest Malware Threat Reportas duck tail.

After stealing all this information, NodeStealer exfiltrates the stolen data to the attacker’s server.

Data exfiltration
Data exfiltration (Facebook)

Upon discovery, Facebook reported the threat actor’s server to the domain registrar, and it was taken down on January 25, 2023.

In today’s report, Facebook also shared information about the lawsuit DuckTail Malware operations and malware and malicious extensions distributed as ChatGPT programs.

For those interested in IOCs related to NodeStealer, DuckTail, and ChatGPT-mimicking malware, Facebook has shared its data on Facebook’s public GitHub repository.

Source link