Executive Summary:
Facebook has found a new type of malware known as NodeStealer that targets Windows internet browsers in an attempt to compromise accounts on Facebook, Gmail, and Outlook by taking usernames, passwords, and cookies. The virus packages the Node.js environment and is specifically developed in JavaScript. It targets the capacity of Facebook accounts to carry out advertising campaigns, which threat actors use to disseminate false material or direct viewers to further malicious websites. NodeStealer leverages the victim’s cookie information and system setup to appear as a legitimate user while concealing its queries behind their IP address in order to avoid detection. Early in its distribution effort, Facebook discovered NodeStealer and assisted impacted users in getting their accounts back.
On January 25, 2023, the threat actor’s server was shut down after it was reported to the domain registrar. Facebook has been keeping an eye out for any potential future activity, but it hasn’t seen any new samples of the NodeStealer family since February 27 of this year. The virus is a part of Vietnam’s growing cybercrime ecosystem, where a variety of threat actors use overlapping strategies to spread their harmful software, with Facebook advertising serving as the primary vector.
Introduction of the malware and mode of operation:
The main targets of the information-stealing virus NodeStealer are bitcoin wallets and Facebook business profiles. It was initially made public by Meta in May 2023 and has been operational since at least July 2022. The virus spreads using a number of techniques, such as downloading and extracting files, and it adds registry run keys to establish persistence. It’s a JavaScript-driven threat that runs on Node.js with the goal of stealing browser cookies and login credentials from Chromium-based browsers including Microsoft Edge, Brave, Opera, and Chrome.
Distribution: NodeStealer is transmitted under the appearance of PDF and XLSX files. It does this via packaging it with genuine software, phishing emails, social engineering, and malvertising.Using the proper relevant icons and filenames, the virus is made to fool users into opening these files.
Execution and Persistence: Once the virus has been executed, persistence is used to keep it running even when the victim resets their computer.It accomplishes this by establishing a new registry key to guarantee that it launches at startup and utilizing the auto-launch module on Node.js.
Data Harvesting: After being run, NodeStealer collects encrypted browser data, decrypts it to obtain the cookie database and saved credentials, and then uses Facebook URLs to send unsanctioned requests to obtain account information pertaining to advertisements. Its command-and-control (C&C) server receives the stolen data as a JSON object encoded with Base64.
Exploitation of Stolen Information: Using the victim’s accounts, the threat actor responsible for the infection uses the stolen data to conduct illicit advertisements. The ultimate objective of the virus is to use the stolen cookies to change passwords and get around security measures like two-factor authentication, thus locking users out of their own accounts.
IoCs related to malware:
Indicator type
FileHash-MD5:81895a28ec678cb4bc8cf9a2e3dd0352
● SHA-1:791947c1401a3073cbe146ebf8e3e5b83511f8cd
● SHA-256:7c59713b5ae4dd41c94cda9c2cb15a2e6173b886157a2ba5a68842cc7bdde698 ● Vhash:0170c75d151d05655c0d5az243gz1lz
● Authentihash:983dea7e50bc419c7131a37693ac8c807dd91b2b469bc8ba43e6320330694f20 ● Imphash:fd2aad81b3dff42d381e1a2050579aaa
● SSDEEP98304:g4V7wgdnRdKaNpt1p0j0cY7ISro8DhaptOeCoDJrj5EAR4mLqTI5KuQQAzdWuL m8:ZWoCcU
● TLSH:T1DEF64B97E66320DEF466F07452676633AAA1B81D1A3C3DD6B94CC7607B05E707B 3CA08
History
● Creation Time:2022-12-11 11:45:39 UTC
● First Seen In The Wild:2022-12-11 15:51:38 UTC
● First Submission:2022-12-11 20:45:26 UTC
● Last Submission:2022-12-15 04:09:39 UTC
● Last Analysis :2023-11-10 09:45:31 UTC
Names
● Word
● Word.exe
● unknown
Signature info
● Signature Verification:File is not signed
● File Version Information
● Product:Peguis
● Description:Description
● Original Name:Word.exe
● Internal Name:Word
● File Version:1.2.28.0
Portable Executable Info
Header:
● Target Machine:x64
● Compilation Timestamp:2022-12-11 11:45:39 UTC
● Entry Point:4342
● Contained Sections:12
Contained Resources By Type
● RT_MANIFEST:1
● RT_RCDATA:1
● RT_VERSION:1
● RT_GROUP_ICON:1
● RT_ICON:1
Contacted IP addresses(5) | ||
IP | Detections | Autonomous System Country |
192.229.211.108 | 0 / 88 | 15133 US |
20.99.133.109 | 1 / 88 | 8075 US |
23.216.147.56 | 0 / 88 | 20940 US |
23.216.147.76 | 1 / 88 | 20940 US |
23.59.188.114 | 0 / 88 | 20940 US |
FileHash-SHA1:6deb330eca4573c8f260065c6ea61adfb2b40012
● MD5:f160da34e4b707870c9e82007f062bf5
● SHA-1 :6deb330eca4573c8f260065c6ea61adfb2b40012
● SHA-256:1998492619c1fc6a5b78d5c4c6beb05c582a1be6ad2b9ac734179c731bbcf5cc ● Vhash :0460c76d155d05155c0d1az2629fz2lz
● Authentihash:37c66b671b883e0341d17c254aad9760d3b133298953461349647dc76bed4aa1 ● Imphash:160cd5026138919c15e173f4531495be
● SSDEEP98304:5gWsfZi1vzCITja5cVJjfz76wmvz81ZhHV1TtEoqfhO:+WDdHairuwkzkhHVVqc ● TLSH:T19C1612EBB07B004EF4C6A1FDA194448E15A6AC5C0C19A43D0681A136A9FEF5C5 F5FFB2
History
● Creation Time:2022-12-11 11:45:43 UTC
● First Submission:2022-12-12 21:21:15 UTC
● Last Submission:2022-12-20 03:15:13 UTC
● Last Analysis :2023-11-13 06:55:19 UTC
Names
● Word
● Word.exe
● f160da34e4b707870c9e82007f062bf5.virus
Signature info
● Signature Verification: File is not signed
File Version Information
● Product:Peguis
● Description:Description
● Original Name:Word.exe
● Internal Name:Word
● File Version:1.2.28.0
● Portable Executable Info
Header
● Target Machine:x64
● Compilation Timestamp:2022-12-11 11:45:43 UTC
● Entry Point:4342
● Contained Sections:12
IP | Detections | Autonomous System Country |
192.168.0.12 | 1/ 88 | – – |
192.229.211.108 | 1/ 88 | 15133 US |
20.99.133.109 | 1/ 88 | 8075 US |
20.99.184.37 | 2/ 88 | 8075 US |
20.99.185.48 | 0/ 88 | 8075 US |
20.99.186.246 | 1/ 88 | 8075 US |
23.216.147.76 | 1/ 88 | 20940 US |
52.182.143.212 | 0/ 88 | 8075 US |
IP Traffic
● 192.168.0.12:137 (UDP)
● 192.229.211.108:80 (TCP)
● 20.99.133.109:443 (TCP)
● 20.99.184.37:443 (TCP)
● 20.99.185.48:443 (TCP)
● 20.99.186.246:443 (TCP)
● 23.216.147.76:443 (TCP)
● 52.182.143.212:443 (TCP)
FileHash-SHA256:001f9d34e694a3d6e301a4e660f2d96bc5d6aa6898f34d441886c6f9160d9e48● MD5 :8d41f5eaac4acca0d1d675b28da1df58
● SHA-1 :fae9ae27839a58084fc4b2d528631e0446afc73e
● SHA-256:001f9d34e694a3d6e301a4e660f2d96bc5d6aa6898f34d441886c6f9160d9e48 ● Vhash :0270c76d155d05155c0d1az2629fz2lz
● Authentihash:f44960b2ccb073b70f4143681f9b452bcb040f968b283ffbf9634c5e26402d3d ● Imphash:160cd5026138919c15e173f4531495be
● SSDEEP393216:+ErQzkhHVVXQI2yP+5idDZNGWW42ZyQKEbpEXp5Qoy:+MJRXQI2yPNZEV4 23hNE55Q1
● TLSH:T1A63733EA303B484EF4C694FEB464618D69996D6C5C0A603C4181A075AAFEF4C4F 5FFB2
History
● Creation Time:2022-12-11 11:45:43 UTC
● First Seen In The Wild:2022-12-11 15:25:49 UTC
● First Submission:2022-12-11 16:17:13 UTC
● Last Submission:2023-08-05 18:19:37 UTC
● Last Analysis :2023-11-13 07:17:44 UTC
Names
● Word
● Word.exe
● 001f9d34e694a3d6e301a4e660f2d96bc5d6aa6898f34d441886c6f9160d9e48.exe ● RuntimeBroker.exe
● In-depth advertising materials for Facebook .exe
Signature info
● Signature Verification:File is not signed
● File Version Information
● Product:Peguis
● Description:Description
● Original Name:Word.exe
● Internal Name:Word
● File Version:1.2.28.0
● Portable Executable Info:Header
● Target Machine:x64
● Compilation Timestamp:2022-12-11 11:45:43 UTC
● Entry Point:4342
● Contained Sections:12
Contacted URLs(3)
Scanned | Detections | Status URL |
2023-08-08 | 12/ 90 | 200http://adgowin66.site/ra tkyc/4/bat.zip |
2023-08-08 | 11/ 90 | 200http://adgowin66.site/ra tkyc/4/ratkyc.zip |
2023-11-13 | 0/ 90 | 200http://lumtest.com/myip. json |
Contacted Domains(5)
Domain | Detections | Created Registrar |
adgowin66.site | 11/ 88 | 2022-09-05 – |
api.telegram.org | 2/ 88 | 2003-12-15 GoDaddy.com, LLC |
kycteam.ddns.net | 1/ 88 | 2001-06-28 Vitalwerks Internet Solutions, LLC / No-IP.com |
lumtest.com | 0/ 88 | 2015-10-28 GoDaddy.com, LLC |
tinyurl.com | 2/ 88 | 2002-01-27 Tucows Domains Inc. |
Contacted IP addresses(20)
IP | Detections | Autonomous System Country |
103.183.119.206 | 0/ 88 | 63737 VN |
104.20.138.65 | 1/ 88 | 13335 – |
104.20.139.65 | 1/ 88 | 13335 – |
13.107.4.50 | 4/ 88 | 8068 US |
149.154.167.220 | 1/ 88 | 62041 GB |
149.28.149.83 | 0/ 88 | 20473 SG |
172.67.1.225 | 1/ 88 | 13335 US |
192.168.0.36 | 0/ 88 | – – |
192.229.211.108 | 1/ 88 | 15133 US |
20.69.140.28 | 0/ 88 | 8075 US |
URL:http://adgowin66.site/ratkyc/4/bat.zip
Categories
● Forcepoint ThreatSeeker:malicious web sites
● Sophos:spyware and malware
● Xcitium Verdict Cloud:media sharing
● Webroot:Malware Sites
History
● First Submission:2022-12-03 05:44:25 UTC
● Last Submission:2023-11-13 07:31:30 UTC
● Last Analysis:2023-11-13 07:31:30 UTC
HTTP Response
● Final URL:http://adgowin66.site/ratkyc/4/bat.zip
● Serving IP Address:207.148.71.114
● Status Code:200
● Body Length:3.43 KB
Body SHA-256
1f093f818d2d3bd146c34d10bdb9de0a33931d3586f0bb942f881052a20114f9
Headers
● Content-Length:3516
● Accept-Ranges:bytes
● Expires:Wed, 04 Jan 2023 16:29:42 GMT
● Server:nginx
● Last-Modified:Wed, 30 Nov 2022 16:45:07 GMT
● Connection:keep-alive
● ETag:”63878893-dbc”
● Pragma:public
● Cache-Control:max-age=2592000, public, must-revalidate, proxy-revalidate ● Date:Mon, 05 Dec 2022 16:29:42 GMT
● Content-Type: application/zip
hostname:api.dongvanfb.net
Categories
● Sophos:information technology
● Xcitium Verdict Cloud:media sharing
● alphaMountain.ai:Information Technology, Suspicious (alphaMountain.ai)
History
● First Submission:2023-01-18 08:56:02 UTC
● Last Submission:2023-11-13 11:35:47 UTC
● Last Analysis:2023-11-13 11:35:47 UTC
HTTP Response
● Final URL:https://api.dongvanfb.net/
● Serving IP Address:104.26.10.250
● Status Code:200
● Body Length:70 B
RECORD | VALUE |
Emails | abuse@namecheap.com |
Name | Redacted for Privacy |
Name Servers | CARTER.NS.CLOUDFLARE.COM |
Org | Privacy service provided by Withheld for Privacy ehf |
Address | Kalkofnsvegur 2 |
City | Reykjavik |
Country | IS |
Creation Date | 2022-12-12 14:19:55 |
Dnssec | unsigned |
Domain Name | DONGVANFB.NET |
Domain Name Emails | dongvanfb.net a1b840553f554b4aa7434884dd8bac68.protect@withheldforprivac y.com |
Expiration Date Name Servers | 2023-12-12 14:19:55 ULLA.NS.CLOUDFLARE.COM |
Name Servers Name Servers | carter.ns.cloudflare.com ulla.ns.cloudflare.com |
Registrar State | NAMECHEAP INC Capital Region |
Status | clientTransferProhibited https://icann.org/epp#clientTransferProhibited |
Updated Date | 2022-12-12 14:24:41 |
Updated Date | 2001-01-01 0:00:00 |
Whois Server | whois.namecheap.com |
Zip Code | 101 |
Passive DNS
STATUS | HOSTNAME | QUERY TYPE | FIRST LAST ADDRESS SEEN SEEN ASN | COUNTRY |
Unknown | api.dongvanfb. net | AAAA | 2606:4700: 20::ac43:4 2023-01-18 2023-11-13 AS13335 469 7:44 9:11 cloudflare | United States |
Unknown | api.dongvanfb. net | AAAA | 2606:4700: 20::681a:af 2023-01-18 2023-11-13 AS13335 a 7:44 9:11 cloudflare | United States |
Unknown | api.dongvanfb. net | AAAA | 2606:4700: 20::681a:bf 2023-01-18 2023-11-13 AS13335 a 7:44 9:11 cloudflare | United States |
Unknown | api.dongvanfb. net | A | 104.26.11.2023-01-182023-11-13 AS13335 250 7:24 9:11 cloudflare | United States |
Unknown | api.dongvanfb. net | A | 172.67.68. 2023-01-18 2023-11-13 AS13335 105 7:24 9:11 cloudflare | United States |
Unknown | api.dongvanfb. net | A | 104.26.10. 2023-01-18 2023-11-13 AS13335 250 7:24 9:11 cloudflare | United States |
Mitigation:
● Keep your software up to date.
● Use a strong security solution.
● Take caution while opening attachments and clicking on links.
● Make sure multi-factor authentication is enabled and use strong passwords (MFA). ● A comprehensive security solution can help to protect you from a wide range of malware threats, including NodeStealer
● Phishing emails are a common way to distribute malware. Phishing emails often try to trick you into opening malicious attachments or clicking on malicious links.
● Strong passwords and MFA can help to protect your accounts from being compromised.
Recommendation:
● Be careful about what apps you authorize.
● When you authorize an app to access your Facebook account, be sure to only authorize apps from trusted developers.
● Review your app permissions regularly.
● Go to your Facebook account settings and review the permissions that you have granted to apps. ● If you see any apps that you no longer use or that you don’t trust, remove their permissions. ● Use Facebook Login Protect.
● A security feature called Facebook Login Protect makes your Facebook account even more secure by forcing you to input a code from your phone when checking in from an unfamiliar device or browser.
Conclusion:
The emergence of NodeStealer malware, with its cryptocurrency theft, downloader, and Facebook business account takeover capabilities, poses a grave threat. Believed to be orchestrated by a suspected Vietnamese threat actor, these variants extend beyond their initial objectives, potentially causing significant financial losses and reputational harm. It’s vital for organizations to reassess their security protocols, leveraging the provided indicators of compromise (IoCs). Facebook business account owners must fortify their defenses by employing robust passwords and enabling multifactor authentication. Furthermore, educating staff on modern phishing tactics, which exploit current events and enticing topics, is crucial in combating this evolving menace.
Additional IOC:
● hxxps://tinyurl[.]com/batkyc
● hxxp://adgowin66[.]site/ratkyc/4/bat.zip
● hxxps://tinyurl[.]com/ratkyc2
● hxxp://adgowin66[.]site/ratkyc/4/ratkyc.zip
● 1a4e8bcf7dc4ad7215957210c8e047f552b45a70daf3d623436940979c38f94c ● 92657c3a108bbedc6f05b4af0a174e99a58e51e69c15c707d9c9cc63cdf1b4ea ● fed5ea7840461984fa40784d84ed1a0961cbf48b03d8b79c522286bf6e220922
CyberPeace Advisory:
● Keep their software up to date, including their operating system, browser, and security software. ● Be careful about what links they click on and what attachments they open.
● Use strong passwords and two-factor authentication on all of their accounts. ● Be wary of unsolicited messages and emails, even if they appear to be from a legitimate source.
Reference:
● [1]https://www.bleepingcomputer.com/news/security/facebook-disrupts-new-nodestealer-informati on-stealing-malware/
● [2] https://engineering.fb.com/2023/05/03/security/malware-nodestealer-ducktail/ ● [3]https://www.linkedin.com/posts/computercrime_facebook-disrupts-new-nodestealer-information -stealing-activity-7061006885730037760-ZWwd
● [4] https://thehackernews.com/2023/11/nodestealer-malware-hijacking-facebook.html?m=1 ● [5]https://cyware.com/news/nodestealer-new-information-stealing-threat-terminated-by-facebook 9b1f82a8
● [6] https://www.securityweek.com/meta-swiftly-neutralizes-new-nodestealer-malware/
Your comment is awaiting moderation.
I know this subject line sounds so hype…
But it’s true, making money shouldn’t be “hard”
It’s quite easy if you have the right system…
This brings us to today’s topic…
My good friend Venkata just opened the doors to his newest app, Blink…
This little app blasts your Amazon affiliate links with thousands of clicks… (Or you can drive these traffic to your website)
Resulting in hundreds of profits every single day: https://www.busihelp.xyz/amazon
With it, you don’t need to write reviews, create websites, create videos, or none of that BS…
You just enter your Amazon affiliate link, and that’s it…
Now, you sit back and enjoy while Blink does all the work for you…
Click here now and watch how Blink can do all of that and more in just seconds >> https://www.busihelp.xyz/amazon
Cheers,
Scott Mendez
UNSUBSCRIBE: https://www.busihelp.xyz/unsubscribe/?d=cyberodisha.com
Address: 925 Snowbird Lane
Seward, NE 68434