nodestealer

NodeStealer, a novel malware family first identified by Meta's security team in January 2023, is designed to exploit Meta's ad network on Facebook and poses a significant threat to user privacy and security. This malicious software operates as an info-stealer capable of hijacking browser cookies and executing account takeovers at scale. The seemingly innocuous "Albums" advertised in campaigns serve as gateways to repositories on platforms like Bitbucket and Gitlab, which conceal a Windows executable poised to unleash the insidious NodeStealer onto the unsuspecting user's device. The malware was executed using the cross-platform, open-source JavaScript runtime environment Node.js. Its upgraded version, NodeStealer 2.1, boasts new features that extend its reach to additional platforms like Gmail and Outlook, aiming to steal crypto wallet balances and unleash further malicious payloads. It has been used in previous campaigns where hackers hijacked Facebook business accounts, leading to cryptocurrency theft. Threat actors have employed innovative methods, including the exploitation of compromised business accounts to target regular users. However, Meta acted swiftly upon identifying NodeStealer, disrupting the malware family within weeks after it emerged. Meta revealed that it first spotted NodeStealer roughly two weeks after it was initially deployed and immediately took action to neutralize it, including contacting appropriate service providers. According to Meta, the disruption was successful, with no new NodeStealer samples observed since February 27, 2023. The findings were introduced by Nimmo and Hutchins at CYBERWARCON and detailed in subsequent interviews.