NodeStealer Malware Targets Facebook Ad Accounts, Harvests Credit Card Data

Accordingly, in a report shared with The Hacker News, cybersecurity researcher Jan Michael Alcantara from Netskope Threat Labs said: "They exploit budget details in the victim's Facebook Ads Manager account, turning this into a starting point to deploy malicious advertising campaigns on the Facebook platform."

"The NodeStealer malware has deployed new techniques, including using the Windows Restart Manager to unlock browser database files, injecting junk code to complicate analysis, and using batch scripting to dynamically create and execute Python scripts," added Jan Michael Alcantara.

NodeStealer was first publicly documented by Meta in May 2023, initially as a JavaScript-based malware. However, it has since evolved into a data-stealing tool written in Python, capable of harvesting information related to Facebook accounts, thereby facilitating account takeovers.

The malware is believed to have been developed by Vietnamese cybercriminal groups who have used a variety of malware, primarily targeting Facebook advertising accounts and business accounts for other malicious activities.

Additionally, some variants of NodeStealer have been found to use the Windows Restart Manager program, a legitimate Windows operating system tool, to unlock SQLite database files that may be in use by other processes.

The purpose of this action is to access and exploit sensitive data, such as credit card information, from various web browsers. Using Windows Restart Manager as a tool to bypass file protection measures allows this malware to collect data in a more sophisticated and difficult-to-detect manner.

Malicious Facebook ads are a highly effective infection channel, often leveraging the credibility of well-known brands to spread malware in various forms. This is evident in a new campaign, which began on November 3, 2024, in which attackers impersonated the password manager Bitwarden.

Through sponsored ads on Facebook, they entice users to install a fake Google Chrome extension, which tricks victims into installing malware on their systems. This campaign not only aims to fool users but also exploits the Facebook platform to spread malware widely and effectively.

In a report published on November 17, cybersecurity company Bitdefender said: "This malware collects personal information and targets business accounts on Facebook, potentially causing serious financial damage to both individuals and businesses."

The security firm also noted that the campaign once again highlights how threat actors exploit trusted platforms like Facebook to scam users, causing them to inadvertently weaken their own security measures.