Meta announced it disrupted a new malware family called NodeStealer within weeks of its emergence. The malware was designed to grab cookies and usernames from browsers and compromise online accounts. Disguised as PDF and XLSX files, NodeStealer is likely of Vietnamese origin. Meta explained it contacted various third parties which were targeted by the bad actors to assist in distributing the malware.
NodeStealer is executed using the open-source JavaScript runtime environment Ndoe.js. The malware uses the auto-launch module to attain persistence and adds a new registry key to ensure it launches at startup. The malware targets encrypted cookie databases and user credentials for Facebook, Gmail, and Outlook. NodeStealer also made unauthorized requests to retrieve account details regarding advertising, which can be used to run unauthorized ads on Facebook. The malware sends the stolen information to its command-and-control server, which was activated in December 2022 and suspended the following month. Meta also alerted that malign actors are using the promise of generative AI to trick users into installing malware on their own devices.
Read More: