Monday , January 27 2025
Hacker

Python NodeStealer: harvest credit card and Facebook Ads Manager

infosecbulletin Sunday , November 24 2024 Cyber Attack

Jan Michael Alcantara of Netskope Threat Labs reported, Python NodeStealer has resurfaced with advanced techniques and a broader target range. The report shows that primarily the infostealer to target Facebook business accounts and harvests credit card information.

The malware targets Facebook Ads Manager accounts to steal login details, cookies, and budget information through Facebook’s Graph API. Attackers log into adsmanager.facebook.com using the victim’s cookies to access financial data like daily ad spending limits and total campaign budgets.

New Ransomware Tactics Target VMware ESXi Via SSH Tunneling

By infosecbulletin / Sunday , January 26 2025
Sygnia's recent report highlights the changing strategies of ransomware groups targeting VMware ESXi appliances. These attackers exploit vital virtual infrastructure...
Read More
New Ransomware Tactics Target VMware ESXi Via SSH Tunneling

Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass

By infosecbulletin / Friday , January 24 2025
An exhaustive evaluation of three firewall models from Palo Alto Networks has uncovered a host of known security flaws impacting...
Read More
Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass

CISA Releases 6 ICS Advisories Detailing Security Issues

By infosecbulletin / Friday , January 24 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released 6 advisories for Industrial Control Systems (ICS), highlighting vulnerabilities in various...
Read More
CISA Releases 6 ICS Advisories Detailing Security Issues

Account Credentials for Security Vendors Found on Dark Web: Cyble Report

By infosecbulletin / Thursday , January 23 2025
# "While many leaked security credentials belong to customers, some exposed sensitive accounts suggest that security vendors too have been...
Read More
Account Credentials for Security Vendors Found on Dark Web: Cyble Report

Four Critical Ivanti CSA Vulnerabilities Exploited: CISA , FBI warns

By infosecbulletin / Thursday , January 23 2025
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory...
Read More
Four Critical Ivanti CSA Vulnerabilities Exploited: CISA , FBI warns

GitLab Releases Patch (CVE-2025-0314) for XSS Exploit

By infosecbulletin / Thursday , January 23 2025
GitLab has released update for high severity cross-site scripting (XSS) flaw. Versions 17.8.1, 17.7.3, and 17.6.4 for both Community Edition...
Read More
GitLab Releases Patch (CVE-2025-0314) for XSS Exploit

CVE-2025-20156
Cisco Fixes Meeting Management Allowing Privilege Escalation

By infosecbulletin / Thursday , January 23 2025
Cisco has released a security advisory concerning a critical privilege escalation vulnerability (CVE-2025-20156) in its Meeting Management software. With a...
Read More
CVE-2025-20156 Cisco Fixes Meeting Management Allowing Privilege Escalation

Delay patching leaves about 50,000 Fortinet firewalls to zero-day attack

By infosecbulletin / Wednesday , January 22 2025
Fortinet customers must apply the latest updates, as almost 50,000 management interfaces remain vulnerable to the latest zero-day exploit. The...
Read More
Delay patching leaves about 50,000 Fortinet firewalls to zero-day attack

Daily Security Update Dated: 21.01.2025

By infosecbulletin / Tuesday , January 21 2025
Every day a lot of cyberattack happen around the world including ransomware, Malware attack, data breaches, website defacement and so...
Read More
Daily Security Update Dated: 21.01.2025

126 Linux kernel Vulns Allow Attackers Exploit 78 Linux Sub-Systems

By infosecbulletin / Tuesday , January 21 2025
Ubuntu 22.04 LTS users are advised to update their systems right away due to a crucial security patch from Canonical...
Read More
126 Linux kernel Vulns Allow Attackers Exploit 78 Linux Sub-Systems

Netskope researchers believe that targeting Ads Manager aims to use stolen accounts for harmful advertising campaigns, which may involve fraudulent promotions or malvertisements that spread more malware.

NodeStealer not only targets Facebook accounts but now also steals credit card information. It copies the “Web Data” SQLite database from browsers to extract cardholder names, expiration dates, and card numbers. By using Python’s SQLite3 library, it queries stored payment data, expanding its threat significantly.

NodeStealer’s new variants cutting edge methods:

Researchers found that some Python NodeStealer variants use Windows Restart Manager to unlock database files. This library minimizes the need for reboots during software updates by restarting processes that lock files. In this case, the malware exploits Restart Manager to steal information. By using legitimate Windows components, attackers can avoid detection while carrying out their activities.

The malware now uses PowerShell to automatically run its Python script when the system starts.

Junk code and batch files often contain a lot of unnecessary code to avoid detection. Some even use batch files to create and run harmful scripts on the fly.

NodeStealer uses Telegram to steal and send credentials, IP addresses, hostnames, and countries of victims without being detected.

NodeStealer avoids targeting victims in Vietnam, where its operators likely reside. It checks the victim’s IP location using ipinfo and stops if the country code is “VN.”

Check Also

Authority Denies
Hacker claim ransomware attack on Indonesia’s state bank BRI

Bank Rakyat Indonesia (BRI), the largest state bank by assets, has assured customers that their …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2025, All Rights Reserved InfoSecBulletin