The Noodlophile Stealer malware, initially uncovered in campaigns leveraging fake AI video generation platforms, has evolved into a targeted spear-phishing operation that weaponizes copyright infringement notices to infiltrate enterprises with substantial Facebook presences.
This updated variant, active for over a year, shifts from broad social media lures to highly personalized emails impersonating legal entities, incorporating reconnaissance-derived details such as specific Facebook Page IDs and company ownership data.
These phishing attempts, often dispatched from Gmail accounts to evade initial scrutiny, employ multilingual content potentially AI-generated in languages including English, Spanish, Polish, and Latvian, broadening their global reach across the US, Europe, Baltic regions, and APAC.
By demanding urgent action on alleged violations, attackers pressure key employees or generic inboxes like info@ or support@ into downloading malicious payloads disguised as evidence files, such as “View Copyright Infringement Evidence.pdf.”
This approach mirrors past campaigns like the 2024 “CopyRh(ight)adamantys” operation documented by Check Point, which distributed Rhadamanthys stealer via similar legal-themed lures, but distinguishes itself through exploitation of legitimate software vulnerabilities, Telegram-based staging, and dynamic payload execution for enhanced evasion.
The delivery mechanism represents a marked advancement, exploiting DLL side-loading vulnerabilities in signed, legitimate applications like Haihaisoft PDF Reader and Excel converters.
Attackers employ recursive stub loading, where a small stub DLL is side-loaded to recursively invoke malicious code via Import Address Table (IAT) dependencies, or chain vulnerabilities in legitimate DLLs to execute covertly within trusted processes.
Payload Enhancements
Payloads are disseminated through Dropbox links masked by URL shorteners like TinyURL, containing archives with obfuscated artifacts such as batch scripts renamed with .docx or .pdf extensions, or self-extracting archives (SFX) posing as .png files.
Upon execution, these trigger an intermediate staging phase where DLLs rename files to reveal BAT scripts and portable Python interpreters, establishing persistence via registry keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun.
Variants may download additional disguised files from remote servers, transitioning to enhanced obfuscation layers that extract URLs from Telegram group descriptions for dynamic payload retrieval from platforms like paste.rs.
The stealer itself features improved data theft capabilities, focusing on browser credentials, autofill data, cookies (especially Facebook’s cookies.sqlite), Gecko logins, Chrome login data, and credit card details via queries bypassing protections like RmStartSession.
It also enumerates security software through WMI queries on AntiVirusProduct, gathers system information via Win32_ComputerSystem and Win32_OperatingSystem, and maintains persistence in ProgramsStartup while employing self-deletion.
Placeholder functions in the codebase hint at future expansions, including screenshot capture, keylogging, file exfiltration, process monitoring, network reconnaissance, browser extension checks, file encryption, and browser history extraction, alongside potential AMSI and ETW tampering via .NET executables to evade EDR solutions.
This evolution underscores Noodlophile’s adaptability, targeting enterprises’ social media footprints for credential harvesting and potential account takeovers.
According to the report, Security leaders must prioritize defenses against such infostealers, which exploit static attack surfaces.
Technologies like Morphisec’s Automated Moving Target Defense (AMTD) offer preemptive protection by dynamically reshaping environments, neutralizing threats before execution without reliance on signatures or behavioral heuristics.
As Noodlophile continues to refine its tactics, organizations should enhance email filtering, conduct regular phishing awareness training, and monitor for indicators of compromise to mitigate risks from these weaponized copyright lures.
Key Indicators of Compromise (IOCs)
| Category | Examples |
|---|---|
| Email Patterns | Sender: gmail.com; Subjects: Copyright Infringement Notice, Urgent Action Required; Phrases: “Immediate Action Required”, “Legal Representatives”, “Facebook Page ID” |
| URLs/Domains | https://is.gd/PvLoKt, https://paste.rs/Gc2BJ, http://196.251.84.144/suc/zk2.txt, https://t.ly/c$$1] Telegram Bot Tokens: 7913144042:AAGjalVuULPrUgnBqD8d4O33scWPa0GjPUE, 7414494371:AAHsrQDkPrEVyz9z0RoiRS5fJKI-ihKJpzQ |
| File Hashes | CE69FA159FB53C9A7375EF66153D94480C9A284E373CE8BF22953268F21B2EB2 (dcaathur), FAC94A650CD57B9E8DA397816FA8DDD3217DD568EABA1E46909640CBF2F0A29C (dcaat) |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
