| Summary:
A Facebook stealer campaign researchers discovered a new Node .js-based stealer that exfiltrates stolen data via Telegram bot API and a command-and-control server, using GraphQL for communication. The stealer is distributed through deceptive Facebook ads and hosted on platforms like Google Sites and Trello. The Node.js executable inside the archive contains the stealer code along with its dependencies, making it a large file. The stealer's main function steal cookies and credentials from Chromium-based browsers, sending them to the C&C server and a Telegram bot. The stealer also subscribes the client to the C&C server for communication. The outlines the main function routine, handling of push messages, and the information theft process, which targets browsers like Microsoft Edge, Chrome, Opera, and Brave, and collects various data, including cookies, login credentials, and browser information. Stolen data is exfiltrated to the C&C server via GET requests with encrypted payloads. It also discusses the stealer's anti-analysis features, such as hiding the console window and suppressing error messages. The highlights potential threat actors' knowledge of the Vietnamese language based on comments and variable names within the code. It emphasizes the importance of user vigilance and cybersecurity practices to avoid falling victim to malware distributed through malicious ads, offering tips on recognizing and protecting against such threats. The sophisticated stealer campaign is distributed through deceptive Facebook ads, and emphasizes the need for users to exercise caution, employ security tools, and be aware of common signs of malicious ads to protect themselves from online threats. Threat Profile:
|
