{"id":710,"date":"2023-05-03T12:00:21","date_gmt":"2023-05-03T12:00:21","guid":{"rendered":"https:\/\/fde.cat\/index.php\/2023\/05\/03\/the-malware-threat-landscape-nodestealer-ducktail-and-more\/"},"modified":"2023-05-03T12:00:21","modified_gmt":"2023-05-03T12:00:21","slug":"the-malware-threat-landscape-nodestealer-ducktail-and-more","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2023\/05\/03\/the-malware-threat-landscape-nodestealer-ducktail-and-more\/","title":{"rendered":"The malware threat landscape: NodeStealer, DuckTail, and more"},"content":{"rendered":"<p><span>We\u2019re sharing our latest threat research and technical analysis into persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise our industry\u2019s collective defenses across the internet.<\/span><br \/>\n<span>These malware families \u2013 including Ducktail, NodeStealer and newer malware posing as ChatGPT <\/span><span>and other similar tools<\/span><span>\u2013 targeted people through malicious browser extensions, ads, and various social media platforms with an aim to run unauthorized ads from compromised business accounts across the internet.<\/span><br \/>\n<span>We\u2019ve detected and disrupted these malware operations, including previously unreported malware families, and have already seen rapid adversarial adaptation in response to our detection, including some of them choosing to shift their initial targeting elsewhere on the internet.<\/span><span>\u00a0<\/span><\/p>\n<p><span>Today, we\u2019re sharing our latest work to detect and disrupt malware campaigns targeting business users across the internet.\u00a0<\/span><\/p>\n<p><span>We know that malicious groups behind malware campaigns are extremely persistent, and we fully expect them to keep trying to come up with new tactics and tooling in an effort to survive disruptions by any one platform where they spread. That\u2019s why our security teams tackle malware \u2013 one of the most persistent threats online \u2013 as part of our defense-in-depth approach through multiple efforts at once. It includes: malware analysis and targeted threat disruption, continuously improving detection systems to block malware at scale, security product updates, community support and education, threat information sharing with other companies and holding threat actors accountable in court. This helps raise the cost for these malicious groups and limits the lifecycle of any single strain of malware \u2013 forcing threat actors to continue to invest time and resources into constantly adapting to stay afloat<\/span><\/p>\n<p><span>With much malware we\u2019ve seen and countered over the years being hosted outside of social media, including our services, we encourage people to be cautious when downloading new software like browser extensions or mobile apps, or downloading files across the internet. For more security tips, visit our <a href=\"https:\/\/about.fb.com\/news\/2023\/05\/how-meta-protects-businesses-from-malware\/\" target=\"_blank\" rel=\"noopener\">Newsroom<\/a>.<\/span><\/p>\n<h2><span>The malware threat landscape<\/span><\/h2>\n<p><span>Before we dive into the technical analysis of one of the new malware families we recently detected \u2013 NodeStealer, we\u2019re sharing the latest trends we\u2019ve seen across this threat landscape more broadly to help inform our collective defenses across the internet.<\/span><\/p>\n<p><span>While many malware campaigns use off-the-shelf tooling available powered by a booming marketplace, the focus of our analysis today is on malware families that are custom-built to target business users on particular internet services. Here is what stood out to us in our threat research into these tailored operations and their tooling.\u00a0<\/span><\/p>\n<h2><span>Adversarial adaptation in response to disruptions: Ducktail malware in focus<\/span><\/h2>\n<p><span>With more security teams across our industry publicly reporting and sharing threat indicators into various malware operations, we\u2019ve seen operators invest in a number of tactics to enable persistence and adapt to enforcements.\u00a0<\/span><\/p>\n<p><span>Many of them try to spread across many internet services, including social media, ad platforms, file-sharing and file-hosting services, link shorteners, and even niche websites for creators and their fans. This is likely an attempt to ensure that a complex, multi-pronged malware campaign can withstand takedowns by any one of these services because they each only have limited visibility into the entire malicious operation.\u00a0<\/span><\/p>\n<p><span>A long-running malware family known in the security community as Ducktail is a good example. For several years, we\u2019ve tracked and blocked iterations of Ducktail originating from Vietnam that have evolved as a result of enforcements by Meta and our industry peers. Ducktail is known to target a number of platforms across the internet, including:<\/span><\/p>\n<p><span>LinkedIn to socially engineer people into downloading malware;\u00a0<\/span><br \/>\n<span>Browsers like Google Chrome, Microsoft Edge, Brave, and Firefox to gain access to people\u2019s information on desktop; and<\/span><br \/>\n<span>File-hosting services such as Dropbox and Mega, to host malware.<\/span><\/p>\n<p><span>In addition, many malware families are very astute to the detection of their actions which constantly forces them to adjust in hopes of buying a short advantage window over the defender community.\u00a0<\/span><\/p>\n<p><span>As an example, in its latest iteration, Ducktail operators, likely in response to our round-the-clock <\/span><span>detection terminating stolen sessions, began automatically granting business admin permissions to requests for ad-related actions sent by attackers as an attempt to speed up their operations before we block them. <\/span><span>However, our continued detection and mitigations provide protections to businesses against these latest adaptations. In addition, as we learn from these investigations, we keep innovating product security approaches. Today, we\u2019re sharing a number of <a href=\"https:\/\/about.fb.com\/news\/2023\/05\/how-meta-protects-businesses-from-malware\/\" target=\"_blank\" rel=\"noopener\">new product features making business accounts more resilient to these attacks<\/a>.<\/span><\/p>\n<p><span>Finally, we also issued a cease and desist letter to individuals behind it in Vietnam, referred to law enforcement, and will consider all appropriate additional enforcement options against malicious actors behind targeting people on our services.<\/span><\/p>\n<h2><span>Malware lures follow popular trends\u00a0<\/span><\/h2>\n<p><span>Our research and that of security researchers has shown time and again that malware operators, just like spammers, try to latch onto hot-button issues and popular topics to get people\u2019s attention. With an ultimate goal to trick people into clicking on malicious links or downloading malicious software, the latest wave of malware campaigns have taken notice of generative AI tools becoming popular.\u00a0\u00a0<\/span><\/p>\n<p><span>Over the past several months, we\u2019ve investigated and taken action against malware strains taking advantage of people\u2019s interest in OpenAI\u2019s ChatGPT to trick them into installing malware pretending to provide AI functionality.\u00a0<\/span><\/p>\n<p><span>These latest attempts, just like Ducktail, targeted a number of platforms across the internet, including file-sharing services Dropbox, Google Drive, Mega, MediaFire, Discord, Atlassian\u2019s Trello, Microsoft OneDrive, and iCloud to host this malware. Its ultimate goal is to compromise businesses with access to ad accounts across the internet.<\/span><\/p>\n<p><span>Since March 2023 alone, we have found around ten malware families using ChatGPT and other similar themes to compromise accounts across the internet. In one case, we\u2019ve seen threat actors create malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools. They would then promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware. In fact, some of these extensions did include working ChatGPT functionality alongside malware, likely to avoid suspicion from official web stores. We\u2019ve blocked over 1,000 unique ChatGPT-themed malicious URLs from being shared on our platforms and shared them to our industry peers so they, too, can take action, as appropriate.\u00a0<\/span><\/p>\n<p><span>Similar to Ducktail, we\u2019ve seen blocking and public reporting of these malicious strains force their operators to rapidly evolve tactics to try and stay afloat. We\u2019ve seen them use <\/span><a href=\"https:\/\/about.fb.com\/news\/2020\/04\/addressing-deceptive-ad-practices\/\"><span>cloaking<\/span><\/a><span> in an attempt to circumvent automated ad review systems, and leverage popular marketing tools like link-shorteners to disguise the ultimate destination of these links. Many of them also changed their lures to other popular themes like Google\u2019s Bard and TikTok marketing support. Some of these campaigns, after we blocked malicious links to file-sharing and site hosting platforms, began targeting smaller services, such as Buy Me a Coffee \u2013 a service used by creators to accept support from their audiences \u2013 to host and deliver malware.<\/span><\/p>\n<p>An example of malware hosted on a third-party website disguised as a ChatGPT download.<\/p>\n<h2><span>Building custom malware to target specific internet platforms<\/span><\/h2>\n<p><span>Our industry continues to detect and disrupt custom-built novel malware that targets business for advertising fraud. By tailoring these operations to be used for attempted business account compromise on a particular service \u2013 like Facebook or Google or others \u2013 threat actors are able to focus their tooling to use more sophisticated forms of account compromise, like capturing session tokens in an attempt to circumvent two factor authentication requirements. They can also include functionality that can automatically detect connections between the compromised user and business accounts they might be connected to.\u00a0<\/span><\/p>\n<p><span>A novel malware strain we named NodeStealer that we recently uncovered and disrupted early in its operation is a good example of this trend. We\u2019re sharing a deep dive into how this particular custom-built malware operates, including our malware analysis.\u00a0 \u200b<\/span><\/p>\n<h2><span>Novel NodeStealer malware: An in-depth analysis\u00a0\u00a0<\/span><\/h2>\n<p><span>In late January 2023, our security team identified a new malware NodeStealer that targeted internet browsers on Windows with a goal of stealing cookies and saved usernames and passwords to ultimately compromise Facebook, Gmail, and Outlook accounts. NodeStealer is custom-written in JavaScript and bundles the Node.js environment. We assessed the malware to be of Vietnamese origin and distributed by threat actors from Vietnam.\u00a0<\/span><\/p>\n<p><span>We identified NodeStealer early \u2013 within two weeks of it being deployed \u2013 and took action to disrupt it and help people who may have been targeted to recover their accounts. As part of this effort, <\/span><span>we submitted takedown requests to third-party registrars, hosting providers, and application services such as Namecheap, which were targeted by these threat actors to facilitate distribution and malicious operations. These actions led to a successful disruption of the malware. We have not observed any new samples of malware in the NodeStealer family since February 27 of this year and continue monitoring for any potential future activity.<\/span><\/p>\n<p><span>We are sharing threat indicators and information about how this malware works to enable further security research by our industry to help us all strengthen our collective defense.<\/span><\/p>\n<h2><span>Analyzing the NodeStealer malware<\/span><\/h2>\n<p><span>NodeStealer samples are typically disguised as PDF and XLSX files with an appropriate corresponding icon and a filename meant to trick people into opening malicious files. This tactic makes it difficult for people to see that they are opening a potentially malicious executable instead of an innocuous document:<\/span><\/p>\n<p>An example of malware icons.<\/p>\n<h3>File metadata and packaging<\/h3>\n<p><span>Here\u2019s an example of a NodeStealer file. At the time of discovery, this file only had one detection on VirusTotal. It is likely because the file is almost entirely comprised of the Node.js environment and contains novel malicious code.<\/span><\/p>\n<p>A screenshot of VirusTotal scanning results at the time of detection.<\/p>\n<p><span>While the file is a Windows executable file (with an .exe extension), it is disguised as a PDF file with a PDF icon. We also observed metadata on the file that attempts to disguise the file as a product of \u201cMicrosoftOffice:\u201d<\/span><\/p>\n<p>An example of file metadata.<\/p>\n<p><span>Diving a bit more into the file structure, we found that this malware is written in Javascript, executed using Node.js, and is compiled into a Windows executable with a tool from the Node Package Manager (NPM) called pkg. This particular sample is around 46 MB in size, however we have seen files ranging from 46-51 MB. The file is large because it bundles the entire Node.js environment and all third-party package dependencies.<\/span><\/p>\n<p><span>For context, <\/span><a href=\"https:\/\/nodejs.org\/en\/\"><span>Node.js<\/span><\/a><span> is a cross-platform, open-source Javascript runtime environment, which provides various Javascript libraries and is often used to develop web applications. <\/span><a href=\"https:\/\/www.npmjs.com\/package\/pkg\"><span>Pkg<\/span><\/a><span> is a command-line tool that packages node.js code into an executable file for various platforms including Linux, macOS, and Windows.<\/span><\/p>\n<h3><span>Malware behaviors<\/span><\/h3>\n<h4><span>Persistence<\/span><\/h4>\n<p><span>When executed, the malware first establishes persistence to ensure that it continues to operate after the victim restarts the machine. The malware uses the <\/span><a href=\"https:\/\/www.npmjs.com\/package\/auto-launch\"><span>auto-launch module<\/span><\/a><span> on Node.js to do so*<\/span><\/p>\n<p>A screenshot of the persistence-enabling code snippet.<\/p>\n<p><span>In this example, there is a new registry key added under \u201cHKCUSoftwareMicrosoftWindowsCurrentVersionRun&lt;current file name&gt;\u201d to execute the malware upon startup.<\/span><\/p>\n<h4><span>Stealing browser data<\/span><\/h4>\n<p><span>The ultimate goal of this malware is to steal stored password and cookie session information from Chromium-based browsers on the target\u2019s computer. The malware targets Chrome, Opera, Microsoft Edge and Brave browsers. For each of them, the malware will:<\/span><\/p>\n<p><span>First, reference the file paths to files that store sensitive user information such as cookies and credentials (username\/password) for various sites:<\/span><\/p>\n\n<p>The malware then decrypts the sensitive data from the browser data stores. Since the browser encrypts the user\u2019s information before storing it, the malware performs the following steps to decrypt the user data:<\/p>\n<p><span>It will read the encrypted_key from the \u201cLocal State\u201d file, Base64 decode it, and retrieve the decryption key by using the <\/span><a href=\"https:\/\/www.npmjs.com\/package\/win32crypt\"><span>win32crypt<\/span><\/a><span><span><span> Node.js library:<\/span><\/span><\/span><\/p>\n<p>Data decryption routine.<\/p>\n<p><span><span><span>After retrieving the decryption key, the malware reads data from the \u201cCookies\u201d file, which is an SQLite database containing cookie values. The malware looks for a Facebook session cookie and will only continue if one is found. If no Facebook session cookie is found, the malware does not extract more information:<\/span><\/span><\/span><\/p>\n<p>Extracting cookie data and decrypting it.<\/p>\n<p>If a Facebook session cookie is found, the malware starts reading data from the \u201cLogin Data\u201d file, which is an SQLite database containing saved usernames and passwords. The malware specifically targets user credentials for Facebook, Gmail, and Outlook. We hypothesize that the malware steals email credentials to <a href=\"https:\/\/about.fb.com\/news\/2022\/12\/designing-account-security-across-our-apps\/\">compromise the user\u2019s contact point<\/a><span><span> and potentially to access other online accounts connected to that email account:<\/span><\/span><\/p>\n<p>Retrieving the stored usernames and passwords from the Browser saved password database.<\/p>\n<p>With the decryption key now extracted, the malware decrypts the encrypted data read from the \u201cLogin Data\u201d file using AES decryption.<\/p>\n<h4><span>Account reconnaissance<\/span><\/h4>\n<p><span>After retrieving the Facebook credentials from the target\u2019s browser data, the malware uses it to make several unauthorized requests to Facebook URLs to enumerate account information related to advertising. <\/span><span>The malware gains access to this information by making requests from the targeted user\u2019s computer to the APIs used by our Facebook web and mobile apps, which masquerades its activity behind the user\u2019s actual IP address, cookie values, and system configuration \u2013 appearing like a legitimate user and their session. <\/span><span>This makes detection of this activity significantly more difficult. The stolen information then enables the threat actor to assess and then use users\u2019 advertising accounts to run unauthorized ads.\u00a0<\/span><\/p>\n<h4><span>Command and control mechanisms<\/span><\/h4>\n<p><span>After retrieving the stored browser information and performing the Facebook account reconnaissance, the malware exfiltrates all stolen data to the threat actor\u2019s command-and-control (C2) server hosted at: hxxps:\/\/bot2q.advertiser-noreplysupport[.]dev. This C2 server URL is hard-coded into the malware.<\/span><\/p>\n<p><span>The malware aggregates the stolen data in a JSON object which is then Base64 encoded. In an attempt to evade detection, the malware makes a GET request to: hxxps:\/\/bot2q.advertiser-noreplysupport[.]dev\/avatar.png, with the Base64 data placed in the \u201cAuthorization\u201d HTTP header:<\/span><\/p>\n<p>Exfiltration of stolen information.<\/p>\n<p><span>Based on publicly available information, the malware C2 domain was registered with Namecheap on December 27th, 2022. At the time of this analysis, the domain name resolved to the OVH VPS IP 15[.]235[.]187[.]170. We also observed a published DNS mail exchange (MX) record on that domain using Namecheap\u2019s \u201cPrivate Email\u201d service. The C2 server appears to be a Node.js \u201cExpress\u201d-based web application hosted by Nginx, judging by the server\u2019s response header values.<\/span><\/p>\n<p><span>We reported this domain to Namecheap and it is no longer resolving (as of January 25th, 2023).\u00a0<\/span><\/p>\n<h2><span>Threat Indicators<\/span><\/h2>\n<p><span>These indicators are available in machine readable formats on our <\/span><a href=\"https:\/\/github.com\/facebook\/malware-detection\"><span>Malware Detection repository on GitHub<\/span><\/a><span>.<\/span><\/p>\n<p><span>*Please note that we have reformatted some of the source code contained in this blog in order to make it easier to read and understand. We have also added comments to the source code to provide context and explain how it works.<\/span><\/p>\n<p>The post <a href=\"https:\/\/engineering.fb.com\/2023\/05\/03\/security\/malware-nodestealer-ducktail\/\">The malware threat landscape: NodeStealer, DuckTail, and more<\/a> appeared first on <a href=\"https:\/\/engineering.fb.com\/\">Engineering at Meta<\/a>.<\/p>\n<p>Engineering at Meta<\/p>","protected":false},"excerpt":{"rendered":"<p>We\u2019re sharing our latest threat research and technical analysis into persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise our industry\u2019s collective defenses across the internet. These malware families \u2013 including Ducktail, NodeStealer and newer malware posing as ChatGPT and other similar tools\u2013 targeted people through malicious browser extensions, ads,&hellip; <a class=\"more-link\" href=\"https:\/\/fde.cat\/index.php\/2023\/05\/03\/the-malware-threat-landscape-nodestealer-ducktail-and-more\/\">Continue reading <span class=\"screen-reader-text\">The malware threat landscape: NodeStealer, DuckTail, and more<\/span><\/a><\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-710","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":702,"url":"https:\/\/fde.cat\/index.php\/2023\/04\/13\/how-device-verification-protects-your-whatsapp-account\/","url_meta":{"origin":710,"position":0},"title":"How Device Verification protects your WhatsApp account","date":"April 13, 2023","format":false,"excerpt":"WhatsApp has launched a new security feature that further helps prevent attackers from using vectors like on-device malware. This security feature, called Device Verification, requires no action or additional steps from users and helps protect your account. This feature is part of our broader work to increase security for our\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":222,"url":"https:\/\/fde.cat\/index.php\/2021\/02\/02\/how-salesforce-helps-protect-you-from-session-hijacking-threats\/","url_meta":{"origin":710,"position":1},"title":"How Salesforce Helps Protect You From Session Hijacking Threats","date":"February 2, 2021","format":false,"excerpt":"Co-authors: Ping Yan and Yuly\u00a0TenorioBackground on Session HijackingAll communication on the internet happens over a set of standards called TCP\/IP (Transmission Control Protocol\/Internet Protocol). They are the World Wide Web\u2019s core communication system that enables Internet-connected devices to communicate simultaneously with each other. This system lays the groundwork over which\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":726,"url":"https:\/\/fde.cat\/index.php\/2023\/06\/21\/tackling-cyber-threats-with-automation-inside-salesforces-cutting-edge-security-strategy\/","url_meta":{"origin":710,"position":2},"title":"Tackling Cyber Threats with Automation: Inside Salesforce\u2019s Cutting-edge Security Strategy","date":"June 21, 2023","format":false,"excerpt":"In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional journeys that have shaped Salesforce Engineering leaders. In this special edition, we meet Avinash Reddy Thumma, lead threat detection engineer for Salesforce. Based in Hyderabad, India, Avinash\u2019s threat detection team specializes in protecting Salesforce\u2019s network by thwarting malicious threats. Read\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":719,"url":"https:\/\/fde.cat\/index.php\/2023\/05\/23\/automation-at-scale-migrating-200000-machines-from-centos-7-to-rhel-9\/","url_meta":{"origin":710,"position":3},"title":"Automation at Scale: Migrating 200,000 Machines from CentOS 7 to RHEL 9","date":"May 23, 2023","format":false,"excerpt":"When a legacy operating system (OS) approaches its end-of-support date, some organizations will upgrade their OS as fast as possible. Others may kick the can down the road, delaying any headaches they might encounter during the upgrade process. Six years ago, Salesforce Engineering put the pedal to the metal, migrating\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":754,"url":"https:\/\/fde.cat\/index.php\/2023\/08\/29\/data-enrichment-and-automation-helping-salesforce-security-overcome-the-threat-identification-challenge\/","url_meta":{"origin":710,"position":4},"title":"Data Enrichment and Automation: Helping Salesforce Security Overcome the Threat Identification Challenge","date":"August 29, 2023","format":false,"excerpt":"By Matt Saunders and Scott Nyberg In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional life experiences that have shaped Salesforce Engineering leaders. Meet Matt Saunders, a Principal Member of the Technical Staff at Salesforce, supporting the Detection and Response Machine Learning team. In his role, Matt focuses on\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":790,"url":"https:\/\/fde.cat\/index.php\/2023\/08\/29\/data-enrichment-and-automation-helping-salesforce-security-overcome-the-threat-identification-challenge-2\/","url_meta":{"origin":710,"position":5},"title":"Data Enrichment and Automation: Helping Salesforce Security Overcome the Threat Identification Challenge","date":"August 29, 2023","format":false,"excerpt":"By Matt Saunders and Scott Nyberg In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional life experiences that have shaped Salesforce Engineering leaders. Meet Matt Saunders, a Principal Member of the Technical Staff at Salesforce, supporting the Detection and Response Machine Learning team. In his role, Matt focuses on\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/710","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=710"}],"version-history":[{"count":0,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/710\/revisions"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}