Facebook has discovered a new malware called "NodeStealer" and steals browser cookies.
See also: YouTube Videos distribute the Aurora Stealer malware
The reception cookies containing valid user login session tokens is a tactic that is becoming increasingly popular among cybercriminals, as it allows them to steal accounts without having to steal credentials or interact with the target, while bypassing two-factor authentication protections.
According to new post on the Facebook security team's blog, the company spotted NodeStealer very early in its distribution campaign, just two weeks after its initial deployment. Since then, the company has discontinued function and helped affected users to recover their accounts.
In late January 2023, Facebook engineers discovered the NodeStealer malware and attributed the attacks to Vietnamese perpetrators. NodeStealer is malware that uses the language JavaScript and is executed via Node.js.
The Node.js is a tool for developing software that can run on various operating systems, such as Windows, macOS and Linux. However, this also makes it potentially dangerous because it can be used by malware. However, it is worth noting that many antivirus do not detect this software as malicious on VirusTotal.
NodeStealer is a 46-51 MB Windows executable file that has been mangled to look like a PDF or Excel file with an appropriate name, intriguing the recipient. This file is distributed to users.
At startup, Node.js uses the automatic boot of the module and adds a new identification key to the registry of the Computer of the victim to ensure the continuation of the case between restarts.
The malware's main goal is to steal the cookies and credentials of Facebook, Gmail and Outlook accounts. These are stored in Chrome-based browsers such as Google Chrome, Microsoft Edge, Brave, Opera etc.
See also: Google Ads: distributing malware
Usually, these data are encrypted in the browsers' SQLite database. However, reversing this encryption is a trivial process practiced by all modern information thieves, who simply retrieve the base64 encrypted decryption key from the Chromium "Local State" file.
To avoid detection by the systems against Facebook abuse, NodeStealer hides these requests behind the victim's IP address and uses cookies and system configuration to make it look like a genuine user.
The key information that the malware seeks is the ability of the Facebook account to run advertising campaigns, which the malicious actors use to promote misinformation or lead unsuspecting members of the public to other malware distribution sites.
Following the discovery, Facebook announced that it had identified the threat actor server and added it to its list of blocked domains, before removing it on January 25, 2023. In today's report, Facebook provided further information about the DuckTail malware and ChatGPT, including malicious add-ons.
See also: Android certificates used for malware
For those interested, Facebook has uploaded its data to the public repository GitHub 's, regarding Indicator of Compromise (IOC), concerning the malware NodeStealer, DuckTail and ChatGPT emulator.
![Pinterest](https://pinterest.com/pin/create/button/?url=https://www.secnews.gr/en/463731/nodestealer-neo-kakovoulo-logismiko-pou-anakalipse-to-facebook/&media=https://www.secnews.gr/wp-content/uploads/2023/03/malware-90.png&description=Το Facebook ανακάλυψε ένα νέο κακόβουλο λογισμικό που ονομάζεται "NodeStealer" και κλέβει cookies του προγράμματος περιήγησης.){kind=link}