{ "Event": { "analysis": "1", "date": "2024-12-19", "extends_uuid": "", "info": "[Threat Intel] Python-Based NodeStealer Version Targets Facebook Ads Manager", "protected": false, "publish_timestamp": "1780439641", "published": true, "threat_level_id": "2", "timestamp": "1780439641", "uuid": "b84131c5-e0d4-406c-96f6-fd36461f0780", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#717bc3", "local": false, "name": "misp-galaxy:producer=\"Trend Micro\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#3000b9", "local": false, "name": "rectifyq:workflow=\"enrichment\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"self-curated\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#0c8fe6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Email Collection - T1114.001\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#5884a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Education\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"NodeStealer\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Raspberry Robin\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"vietnam\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736659637", "to_ids": false, "type": "link", "uuid": "ff419791-1e4b-421e-9026-5565215ed2dc", "value": "https://www.trendmicro.com/en_us/research/24/l/python-based-nodestealer.html" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736659637", "to_ids": false, "type": "text", "uuid": "fc808899-5d3b-42e8-9023-40d7da025412", "value": "The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook Ads Manager accounts, stealing critical financial and business information alongside credit card details and browser data. The infection begins with a spear-phishing email containing a malicious link, which downloads and installs the malware disguised as a legitimate application. Sophisticated techniques like DLL sideloading and encoded PowerShell commands are used to bypass security and execute the final payload, exfiltrating data via Telegram." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736659637", "to_ids": false, "type": "text", "uuid": "e1e51262-17d8-4c31-a2a4-15e9f70ed9a4", "value": "Name: Python-Based NodeStealer Version Targets Facebook Ads Manager\nAuthor: AlienVault\nAdversary: Vietnamese threat group\nTags: [\"dll sideloading\", \"nodestealer\", \"data exfiltration\", \"python\", \"telegram\", \"facebook ads manager\", \"spear-phishing\", \"infostealer\"]\nTgtd countries: [\"Malaysia\"]\nMlwr families: [\"NodeStealer\"]\nAttack_ids: [\"T1053.005\", \"T1056.001\", \"T1114.001\", \"T1566.002\", \"T1005\", \"T1140\", \"T1041\", \"T1059.001\", \"T1547.001\", \"T1027\", \"T1071.001\", \"T1574.002\", \"T1204.001\"]\nIndustries: [\"Education\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1780384725", "to_ids": false, "type": "threat-actor", "uuid": "ffe34be7-dd4f-477b-a0c9-3dbbe9bad280", "value": "Vietnamese threat group", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"vietnam\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746134400", "to_ids": true, "type": "sha256", "uuid": "e9d9f743-1660-46a1-aeef-f93a30b4d898", "value": "786db3ddf2a471516c832e44b0d9a230674630c6f99d3e61ada6830726172458", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Malicious download link", "deleted": false, "disable_correlation": false, "timestamp": "1746131403", "to_ids": true, "type": "url", "uuid": "57b84391-6176-473d-8d6c-9f239686c259", "value": "https://t.ly/MRAbJ" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746131403", "to_ids": true, "type": "url", "uuid": "b3134e60-0f89-43fa-a1be-1280474ce927", "value": "http://88.216.99.5:15707/entry.txt" }, { "category": "Other", "comment": "Password for license.rar", "deleted": false, "disable_correlation": false, "timestamp": "1746132646", "to_ids": false, "type": "text", "uuid": "8245243a-3efc-455f-a47d-0315bc8736e7", "value": "Kimsexy@hacking.vn" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780439384", "to_ids": true, "type": "filename", "uuid": "dff2d84f-74c3-4cb1-8c1d-50440c4cee1a", "value": "Nombor Rekod 052881.zip" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780439641", "to_ids": true, "type": "ip-dst", "uuid": "81d70edc-0640-4a89-8c24-d5fce88a1fc2", "value": "88.216.99.5", "Tag": [ { "colour": "#e2e49e", "local": false, "name": "asn:asn=\"62164\"", "relationship_type": "" }, { "colour": "#fcbc59", "local": false, "name": "asn:as-owner=\"HEYMMAN-2\"", "relationship_type": "" }, { "colour": "#1273fb", "local": false, "name": "asn:as-country=\"CA\"", "relationship_type": "" }, { "colour": "#813aa0", "local": false, "name": "misp-galaxy:country=\"canada\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746134396", "uuid": "594b7097-9c5f-4dde-a075-858d4b9cea25", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746134396", "to_ids": true, "type": "md5", "uuid": "a1ee6337-386e-41db-8226-5ee08c1164db", "value": "e7d16c318fe8e957ffeaac436d275977", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746134231", "to_ids": true, "type": "sha1", "uuid": "11dccfdc-c561-46c6-98f9-9ab3f017328f", "value": "c422b0dc002533fad9bed9a8eb6ae7c17a57405d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746134231", "to_ids": true, "type": "sha256", "uuid": "b41ecb78-d6bf-43f0-92d3-fa63be39a49c", "value": "1c9c7bb07acb9d612af2007cb633a6b1f569b197b1f93abc9bd3af8593e1ec66", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746134231", "to_ids": true, "type": "ssdeep", "uuid": "e00560d1-ceb0-4e49-a764-424a9e40fe33", "value": "96:FZGANb4G0F9Hc4UnO54FqOhaz/9Q/Gnro8eCQXxodgVrIL6JXZhoXHooysr2M/wY:dZePc4UnOuFqhaG087YouVc+JphoXIoZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746134231", "to_ids": false, "type": "size-in-bytes", "uuid": "cf2c14a5-a99d-49f3-a1e0-0fee5a3d3a59", "value": "6058" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746134231", "to_ids": true, "type": "filename", "uuid": "66082486-af5c-442d-ba02-e4a0b2c51ea8", "value": "active-license.bat" }, { "category": "Other", "comment": "Checked: 02/05/2025\nLast-scan\t: 29/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746134231", "to_ids": false, "type": "text", "uuid": "0a2464df-c6c2-422f-a57d-90d227f4fbda", "value": "Type Description: DOS batch file\nMicrosoft: Trojan:Win32/Alevaul!rfn\nVT Total Detection:26/61\nFirst Submission:2024-11-22T09:11:15.000000+00:00\nLast Submission:2024-11-22T09:11:15.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746134397", "uuid": "a25c5475-e178-4f5e-b493-9911384fa0bd", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746134397", "to_ids": true, "type": "md5", "uuid": "071e82c0-71c5-46fb-9de2-45bcc6143af7", "value": "2e227021e9882cfb4873c6dd19641630", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746134274", "to_ids": true, "type": "sha1", "uuid": "ce2d607a-0d4d-4a3a-b117-44b1c59bfc65", "value": "8d9a2d6ead3f72d5d9fcc6b852e8a68bff988708", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746134274", "to_ids": true, "type": "sha256", "uuid": "50865f23-f75d-4231-94de-02d4335d40ad", "value": "ed1c48542a3e58020bd624c592f6aa7f7868ee16fbb03308269d44c4108011b1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746134274", "to_ids": true, "type": "ssdeep", "uuid": "06acb13e-2352-45d5-b7fb-2e0f93958315", "value": "393216:KQDG29CHk/E0jV2KFbICdcQD6H9iaDyKhfxO81:KY5CEcwFbdLD6H9iaDFVv1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746134275", "to_ids": false, "type": "size-in-bytes", "uuid": "b9ca08fe-a204-41d7-99bb-9022c854754b", "value": "13443022" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746134275", "to_ids": true, "type": "filename", "uuid": "90863b7e-79de-44c5-8da6-16d25f95951b", "value": "license.rar" }, { "category": "Other", "comment": "Checked: 02/05/2025\nLast-scan\t: 29/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746134275", "to_ids": false, "type": "text", "uuid": "74bae92f-a92d-4895-a4ad-f4e5a4b6538d", "value": "Type Description: RAR\nMicrosoft: None\nVT Total Detection:0/62\nFirst Submission:2024-11-22T08:58:51.000000+00:00\nLast Submission:2025-03-28T17:26:15.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746134398", "uuid": "5910beb0-dc1c-4a70-89c0-d7ba69ad5235", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746134398", "to_ids": true, "type": "md5", "uuid": "80a97249-3727-4240-b631-1ddd2db09b44", "value": "23eba7b551a61ddd3a38797e48a04ae1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746134296", "to_ids": true, "type": "sha1", "uuid": "ecbfbf9e-1d42-463f-b89c-b3b6ad1e753d", "value": "e9a578b98b70e0c2e2bc4ee1f33cae1270297846", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746134296", "to_ids": true, "type": "sha256", "uuid": "99073f90-0b04-4b05-b9df-4c590ff261e8", "value": "f813da93eed9c536154a6da5f38462bfb4ed80c85dd117c3fd681cf4790fbf71", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746134295", "to_ids": true, "type": "ssdeep", "uuid": "268f39fb-2690-41e2-b093-4f34b20cbb20", "value": "3145728:+NZ4C1nUndKgi4EVgF0POQMdhD4j0lHqvdE2M4d3k2IUB:+YC+nAgiJOFQz3j0NqFEJ4dlB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746134295", "to_ids": false, "type": "size-in-bytes", "uuid": "d0521ed2-7ce0-453a-9dea-a48294e85c27", "value": "142606336" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746134295", "to_ids": true, "type": "vhash", "uuid": "6885c9d4-f453-4878-a554-ebfd7ae8b7db", "value": "118056655d15156az49=z17" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746134295", "to_ids": true, "type": "filename", "uuid": "e4fac330-5c4b-4997-a280-b004f91c31a8", "value": "Vsync Helper.dll" }, { "category": "Other", "comment": "Checked: 02/05/2025\nLast-scan\t: 03/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746134295", "to_ids": false, "type": "text", "uuid": "7061ebf5-9378-4095-a4e0-14c3fe8030aa", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:32/70\nFirst Submission:2024-11-14T11:48:47.000000+00:00\nLast Submission:2024-11-14T11:48:47.000000+00:00" } ] } ] } }