NodeStealer Infostealer: New Python-Based Variant Targets Facebook Ads Manager
The NodeStealer malware, first identified as a JavaScript-based threat, has undergone a transformation into a Python-based infostealer, expanding its capabilities to harvest a broader range of sensitive data. According to Trend Micro’s Managed Extended Detection and Response (MXDR) team, this advanced variant not only collects credit card details and browser-stored information but also targets Facebook Ads Manager accounts, posing significant risks to businesses and individuals alike.
The Facebook Ads Manager platform, widely used for managing advertising campaigns across Facebook, Instagram, and other platforms, has become a prime target. “The newest NodeStealer variant demonstrates a more sophisticated approach to data theft: It specifically targets Facebook Ads Manager accounts, credit card information, and confidential data stored in web browsers,” Trend Micro’s report reveals.
The campaign begins with a spear-phishing email written in Bahasa Melayu, containing a malicious link disguised as a legitimate PDF file. Upon clicking the link, victims are tricked into downloading a zip file containing seemingly harmless applications. These include executable files and DLLs exploited to sideload malicious code, enabling the malware to bypass traditional security defenses.
Trend Micro uncovered that the malware used DLL sideloading, encoded PowerShell commands, and a decoy PDF to execute its final payload. A particularly alarming feature of this campaign is the use of Telegram for data exfiltration, allowing stolen information to be covertly transferred to threat actors
This campaign was traced back to a Vietnamese threat group, as evidenced by the password “@hacking.vn” used to compress the malicious files. The attack targeted an educational institution in Malaysia, with the spear-phishing emails showing signs of machine translation—a detail that raised initial suspicions during the investigation.
The final payload, delivered as a Python script, executes an infostealer designed to exfiltrate sensitive information, including credit card data, cookies, and browser-stored credentials. Additionally, it extracts financial and business-related information from Facebook Ads Manager accounts, potentially enabling malicious advertising campaigns.