Facebook Foils New NodeStealer Malware Designed to Steal Information - 1

Facebook Foils New NodeStealer Malware Designed to Steal Information

  • Written by Ari Denial Cybersecurity & Tech Writer

Meta, the parent company of Facebook, has announced that it thwarted a new malware called NodeStealer, which emerged earlier this year and was designed to steal cookies and login credentials from various web browsers. The malware, which was distributed disguised as PDF and XLSX files, was first identified by Meta roughly two weeks after it was deployed and was likely of Vietnamese origin.

Meta took immediate action to neutralize the threat, including contacting appropriate service providers and submitting takedown requests. The company has announced that their efforts to disrupt NodeStealer have been successful, and no new samples of the malware have been observed since February 2023.

NodeStealer is a new malware that is executed through Node.js, written in JavaScript. This characteristic enables the malware to run on Windows, macOS, and Linux, making it highly versatile. Additionally, the malware is highly stealthy, with most AV engines on VirusTotal failing to flag it as malicious.

The malware is distributed as a 46-51MB Windows executable file that is disguised to appear as a PDF or Excel document with a name that piques the recipient’s interest. Once launched, NodeStealer uses Node.js’ auto-launch module to establish persistence on the victim’s machine between reboots. The malware adds a new registry key during launch, enabling it to remain undetected and active on the victim’s machine.

NodeStealer malware steals cookies and account credentials for Facebook, Gmail, and Outlook from various web browsers. It retrieves the base64-encoded decryption key to access encrypted data and abuses Facebook API to extract information about breached accounts while hiding requests behind the victim’s IP address to evade detection.

The malware steals the Facebook account’s ability to run advertising campaigns, promoting misinformation or leading unsuspecting audiences to malware distribution sites. NodeStealer ultimately sends the stolen data to the attacker’s server.

Facebook took down the server of the threat actor responsible for NodeStealer on January ‘2023, after discovering it. The social media giant also released information on DuckTail malware operations and malicious extensions distributed as ChatGPT programs. Facebook has shared IOCs related to these threats on their public GitHub repository.

University’s Emergency System Hacked by Cybercriminals to Issue Threats towards Students and Faculty - 2

University’s Emergency System Hacked by Cybercriminals to Issue Threats towards Students and Faculty

  • Written by Ari Denial Cybersecurity & Tech Writer

Hackers hijacked Bluefield University’s RamAlert emergency alerts system and threatened to leak admissions data unless the university paid a ransom. The hackers used the system to send messages to students and staff, urging them to pressure the university’s president to meet their demands.

The university’s investigation into the attack found no evidence of financial fraud or identity theft, and it assured faculty and students that it was safe to use its resources.

However, on May 1st, 2023, the Avos ransomware gang still had access to the university’s RamAlert system. The cybercriminals used the system to send out text messages and emails, threatening to leak personal data unless a ransom demand was paid. The university has not disclosed whether it paid the ransom or not. WVVA was the first to report the incident.

The Avoslocker Ransomware gang sent alerts to students and staff at Bluefield University, claiming to have hacked the university network and extracted 1.2 TB files. The group urged recipients not to believe the university’s claims downplaying the severity of the attack and shared links to their data leak site. They planned to leak the first sample on May 1st, 2023.

The Avoslocker ransomware gang used Bluefield University’s hijacked RamAlert system to deliver a final message threatening to publish all stolen data if the university did not pay the ransom. The group released some stolen data, including the President’s W-2 Tax Form, and a document related to their insurance policy. Bluefield University is still restoring its systems, and there is no evidence of student data abuse.

University admitted that their emergency alerts system had been hacked and warned against responding to messages or clicking on links from cybercriminals. Ransomware groups have resorted to various methods of double and triple extortion, including calling partners, emailing customers and competitors, and setting up data leak portals. The use of an emergency alerts system for extortion appears to be a new tactic, highlighting the extreme lengths ransomware actors will go to increase their leverage.