NodeStealer, a newly discovered malware on Meta, was identified by Facebook as stealing browser cookies.
Due to this vulnerability, threat actors can obtain illicit entry into various accounts on the platform, including Gmail and Outlook. Threat actors are increasingly adopting the tactic of capturing cookies that hold valid user session tokens.
It enables them to bypass two-factor authentication measures; hijack accounts without stealing credentials or interacting with targets.
Facebook’s security team detected NodeStealer at an early stage of its distribution campaign, just within two weeks of its initial release.
The company swiftly addressed the situation and assisted affected users in recovering their accounts, ultimately disrupting the operation.
Ducktail Malware in Focus
Over multiple years, Facebook’s security team monitored and obstructed various versions of Ducktail originating from Vietnam, which have adapted in response to measures implemented by Meta and its counterparts in the industry.
While here below, we have mentioned the platforms that the Ducktail targets:-
- Google Chrome
- Microsoft Edge
- Brave
- Firefox
- Dropbox
- Mega
NodeStealer
In late January of 2023, Facebook’s engineers discovered the NodeStealer malware and attributed the attacks to threat actors from Vietnam.
Named for its implementation in JavaScript and execution through Node.js, the malware has been dubbed NodeStealer.
The use of Node.js enables the NodeStealer malware to operate on multiple operating systems, including:-
Additionally, the malware’s stealthiness can be attributed to its implementation in Node.js, which allowed it to evade detection by nearly all AV engines on VirusTotal.
The NodeStealer malware is distributed as a Windows executable file ranging from 46 to 51MB. The file is disguised as a PDF or Excel document and aptly named to pique the recipient’s curiosity.
Once deployed, the NodeStealer malware uses Node.js’ auto-launch module to append a fresh registry key to the victim’s device.
This facilitates the malware to establish persistence, allowing it to remain active even after the machine is rebooted.
The main objective of the NodeStealer malware is to steal cookies and login credentials for Facebook, Gmail, and Outlook accounts that are saved on web browsers that are based on Chromium, such as:-
- Google Chrome
- Microsoft Edge
- Brave
- Opera
While this data is typically encrypted within the SQLite database of the web browser, the decryption process is relatively simple and employed by most modern information-stealing malware.
These malware programs retrieve the base64-encoded decryption key directly from the “Local State” file of the Chromium.
Once NodeStealer identifies cookies or credentials associated with Facebook accounts, it proceeds to the subsequent phase, called “account reconnaissance.”
During this phase, the malware exploits the Facebook API to extract information about the compromised account. NodeStealer uses a deceptive tactic to avoid detection by Facebook’s anti-abuse systems.
By utilizing the following key elements of the victim, it disguises its requests as genuine user activity, concealing its malicious intentions:-
- IP address
- Cookie values
- System configuration
The malware focuses on acquiring critical data from Facebook accounts that allow them to launch advertising campaigns.
Threat actors exploit this access to disseminate misinformation or redirect unsuspecting audiences to the malicious sites used to distribute malware.
Abusing ChatGPT
Security experts have diligently investigated and combated malware strains that exploit OpenAI’s ChatGPT.
These malicious programs deceive users by masquerading as AI-enabled tools, but instead, they serve as a gateway for malware installation.
While apart from this, it’s a trend that has been ongoing for several months, and security analysts are actively putting their efforts into mitigating the threat.
Since March of 2023, there has been a noticeable increase in the number of malware families exploiting ChatGPT to gain unauthorized access to accounts throughout the internet.
Moreover, some reports suggest that approximately ten such families have been identified.
To combat the spread of malicious content, Facebook has blocked over 1,000 unique URLs with ChatGPT-themed malware from sharing on its platform.
They have proactively shared this information with their industry peers, enabling them to take appropriate action to protect their platforms and users.
Building Your Malware Defense Strategy – Download Free E-Book