nodestealer

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
NodeStealer, a novel malware family first identified by Meta's security team in January 2023, is designed to exploit Meta's ad network on Facebook and poses a significant threat to user privacy and security. This malicious software operates as an info-stealer capable of hijacking browser cookies and executing account takeovers at scale. The seemingly innocuous "Albums" advertised in campaigns serve as gateways to repositories on platforms like Bitbucket and Gitlab, which conceal a Windows executable poised to unleash the insidious NodeStealer onto the unsuspecting user's device. The malware was executed using the cross-platform, open-source JavaScript runtime environment Node.js. Its upgraded version, NodeStealer 2.1, boasts new features that extend its reach to additional platforms like Gmail and Outlook, aiming to steal crypto wallet balances and unleash further malicious payloads. It has been used in previous campaigns where hackers hijacked Facebook business accounts, leading to cryptocurrency theft. Threat actors have employed innovative methods, including the exploitation of compromised business accounts to target regular users. However, Meta acted swiftly upon identifying NodeStealer, disrupting the malware family within weeks after it emerged. Meta revealed that it first spotted NodeStealer roughly two weeks after it was initially deployed and immediately took action to neutralize it, including contacting appropriate service providers. According to Meta, the disruption was successful, with no new NodeStealer samples observed since February 27, 2023. The findings were introduced by Nimmo and Hutchins at CYBERWARCON and detailed in subsequent interviews.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Facebook
Outlook
Windows
Phishing
Meta
Infostealer
Payload
Exploit
Python
Hackread
Whatsapp
Rat
Chrome
Fraud
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DucktailUnspecified
5
"Ducktail" is a malicious software (malware) first observed in 2022, specifically designed to target Facebook business accounts. The malware was discovered by Zscaler, a leading cybersecurity firm, and it's suspected to originate from threat actors based in Vietnam. Ducktail not only infiltrates sys
XwormUnspecified
1
XWorm is a multifaceted malware that poses a significant threat to computer systems. It provides threat actors with remote access capabilities, allowing them to exploit vulnerabilities in programs such as ScreenConnect client software. Additionally, XWorm has the potential to spread across networks,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SnakeUnspecified
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the nodestealer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
4 months ago
New Python-Based Snake Info Stealer Spreading Through Facebook Messages | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
4 months ago
Snake Python-Based Information Stealer Targets Facebook Users
CERT-EU
8 months ago
NodeStealer Malware Targets Facebook Accounts with Malvertising
CERT-EU
8 months ago
Provocative Facebook Ads Leveraged to Deliver NodeStealer Malware
CERT-EU
8 months ago
Provocative Facebook Ads Leveraged to Deliver NodeStealer Malware
CERT-EU
8 months ago
NodeStealer Malware Hijacking Facebook Business Accounts for Malicious Ads
CERT-EU
8 months ago
NodeStealer attacks on Facebook take a provocative turn – threat actors deploy malvertising campaigns to hijack users’ accounts
Bitdefender
8 months ago
NodeStealer attacks on Facebook take a provocative turn – threat actors deploy malvertising campaigns to hijack users’ accounts
CERT-EU
9 months ago
Facebook's Official Page Hacked; Demand Release of Pakistani PM Imran Khan | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
10 months ago
Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising
CERT-EU
a year ago
New Information Stealer ‘Mystic Stealer’ Rising to Fame
CERT-EU
a year ago
Hackers are increasingly using ChatGPT lures to spread malware on Facebook | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
CERT-EU
a year ago
Five Driving Forces in the Tech Sector and the Future of Meta
CERT-EU
a year ago
The Week in Security: SolarWinds hack set off alarms for months before discovery
CERT-EU
a year ago
Python versions of stealer malware discovered targeting Facebook business accounts
CERT-EU
a year ago
New NodeStealer Targeting Facebook Business Accounts and Crypto Wallets
CERT-EU
a year ago
Hackers continue to distribute malware through hacked verified pages on Facebook
CERT-EU
a year ago
Information Security News headlines trending on Google - Cybersecurity Insiders
CERT-EU
a year ago
NodeStealer 2.0 Poses as ‘Microsoft’ to Hack Facebook and Browser Data | IT Security News
CERT-EU
a year ago
Users of Facebook for Business are the Target of a New Phishing Attack