Malvertising campaigns leverage ads with NodeStealer malware


In a clever ploy to compromise Windows PCs, hackers turned to Facebook ads featuring provocative images to trick unsuspecting users into downloading the NodeStealer malware.

Bitdefender recently discovered this sophisticated malvertising campaign involving compromised Facebook Business accounts used to distribute the popular NodeStealer malware.

This new form of malvertising campaign aims to steal valuable information, such as browser cookies, saved usernames and passwords, thereby compromising a user’s online security.

NodeStealer Malware and Malvertising Campaigns

NodeStealer Malware and Malvertising Campaigns
Source: Bitdefende

Cybercriminals are increasingly exploiting social media networks, with a focus on leveraging Meta’s advertising network on Facebook. This approach allows them to target a large user base and compromise their privacy.

Researchers at Bitdefender Labs identified several key elements of this malvertising campaign, including 10 compromised business accounts serving malicious ads, perpetually exposing users to online threats.

NodeStealer malware
Source: Bitdefender

An upgraded version of NodeStealer malware improves data theft capabilities. Profiles featuring attractive images attract engagement. 140 diverse advertising campaigns expand the reach. Tactical advertising management escapes detection with rotating advertisements.

In a previous encounter with NodeStealer malware on Facebook, the malware impersonates fake PDF and XLSX files. However, the recent resurgence of NodeStealer malware via a malvertising campaign on the platform demonstrates its adaptability and the attackers’ willingness to refine their techniques.

Improved functionality of NodeStealer malware and previous campaigns

NodeStealer malware
Source: Netskope

The attackers not only relaunched the NodeStealer malware, but also introduced new features, including the ability to target cryptocurrency wallets and make it easier to download additional malware.

Previously, Netskope Threat Labs monitored a campaign that employed Malicious Python scripts to steal Facebook users’ credentials and browser data. This campaign mainly focuses on Facebook business accountsusing fake Facebook messages containing malicious files.

The attacks primarily affected victims in southern Europe and North America, with the manufacturing services and technology sectors most targeted.

The campaign appears to be a new iteration of the Python-based NodeStealer, still geared toward compromising Facebook business accounts. However, unlike previous iterations of the NodeStealer malware, this variant also scrapes all available credentials and credentials. cookieswithout being limited to Facebook only.

According to Netskope, this particular variant of NodeStealer was hosted on the Facebook Content Delivery Network (CDN) and distributed to victims as an attachment in Facebook messages.

The attackers used images of defective products as a lure to persuade Facebook business page owners or admins to download the malware payload. Unlike previous NodeStealer campaigns, this one uses a batch file instead of an executable as the initial file. payload.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. The Cyber ‚Äč‚ÄčExpress assumes no responsibility for the accuracy or consequences of the use of this information.

Leave a comment