{ "type": "Domain", "indicator": "dongvanfb.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/dongvanfb.net", "alexa": "http://www.alexa.com/siteinfo/dongvanfb.net", "indicator": "dongvanfb.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3730827416, "indicator": "dongvanfb.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "64c9624677d427f6f94ef691", "name": "NodeStealer 2.0 \u2013 The Python Version: Stealing Facebook Business Accounts", "description": "Unit 42 researchers have recently discovered a previously unreported phishing campaign that distributed an infostealer equipped to fully take over Facebook business accounts. Facebook business accounts were targeted with a phishing lure offering tools such as spreadsheet templates for business. This is part of a growing trend of threat actors targeting Facebook business accounts \u2013 for advertising fraud and other purposes \u2013 which emerged around July 2022 with the discovery of the Ducktail infostealer.", "modified": "2023-08-01T19:51:33.489000", "created": "2023-08-01T19:51:33.489000", "tags": [ "NodeStealer", "Facebook", "MetaMask", "infostealer", "Microsoft Office" ], "references": [ "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 427, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 131, "domain": 3, "hostname": 3 }, "indicator_count": 153, "is_author": false, "is_subscribing": null, "subscriber_count": 386557, "modified_text": "1033 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654138435c5832ca2c4028f", "name": "DOH Domains IOCs", "description": "The following is a full list of items that you might not have known existed::..com, or, if you were interested in them, are the most likely ones to come up with", "modified": "2024-08-26T04:12:43.497000", "created": "2024-05-27T05:00:52.918000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 1335, "hostname": 667 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d0b2e266c6bac10e3d3622", "name": "NodeStealer 2.0 \u2013 The Python Version I", "description": "NodeStealer is an information-stealing malware that primarily targets Facebook business accounts and cryptocurrency wallets. It has been active since at least July 2022 and was first exposed by Meta in May 2023. The malware is distributed through various methods, including downloading and extracting files, and it sets persistence by adding registry run keys", "modified": "2023-08-07T09:01:22.938000", "created": "2023-08-07T09:01:22.938000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "almendra", "id": "229521", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 53, "domain": 3, "hostname": 3 }, "indicator_count": 68, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "1028 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64cd59c2c274737f92b50c31", "name": "NodeStealer 2.0 \u2013 The Python Version: Stealing Facebook Business Accounts", "description": "A previously unreported phishing campaign targeting Facebook business accounts has been uncovered by Unit 42 researchers, who have identified new variants of the steal-stealing malware known as NodeStealer 2.0.", "modified": "2023-08-04T20:04:18.800000", "created": "2023-08-04T20:04:18.800000", "tags": [ "nodestealer", "variant", "cortex xdr", "facebook", "metamask", "meta", "unit", "palo alto", "networks", "graph api", "bitrat", "alliance", "april", "python", "defender", "powershell", "xworm", "main", "code", "ducktail", "phishing", "peguis", "hvnc", "toggledefender", "vietnamese" ], "references": [ "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/#post-129362-_ydqdbjg0dngh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "Peguis", "display_name": "Peguis", "target": null }, { "id": "hVNC", "display_name": "hVNC", "target": null }, { "id": "ToggleDefender", "display_name": "ToggleDefender", "target": null }, { "id": "Vietnamese", "display_name": "Vietnamese", "target": null }, { "id": "NodeStealer", "display_name": "NodeStealer", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "arringtont", "id": "6086", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_6086/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 131, "URL": 5, "domain": 3, "hostname": 3 }, "indicator_count": 162, "is_author": false, "is_subscribing": null, "subscriber_count": 104, "modified_text": "1030 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ca95727609fc21388041a6", "name": "VTA- Phishing Attack Targets Facebook Business Users Account", "description": "Recently unreported phishing campaign that distributed an infostealer equipped to fully take over Facebook business accounts. Facebook business accounts were targeted with a phishing lure offering tools such as spreadsheet templates for business.", "modified": "2023-08-02T17:42:10.632000", "created": "2023-08-02T17:42:10.632000", "tags": [ "nodestealer", "google chrome", "brave", "december", "meta", "facebook", "python version", "windows system", "january", "microsoft edge", "ducktail", "twitter", "variant", "cortex xdr", "metamask", "unit", "palo alto", "networks", "graph api", "bitrat", "alliance", "april", "python", "defender", "powershell", "xworm", "main", "code", "phishing", "peguis", "hvnc", "toggledefender", "vietnamese" ], "references": [ "https://gbhackers.com/phishing-facebook-business-account/", "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "Peguis", "display_name": "Peguis", "target": null }, { "id": "hVNC", "display_name": "hVNC", "target": null }, { "id": "ToggleDefender", "display_name": "ToggleDefender", "target": null }, { "id": "Vietnamese", "display_name": "Vietnamese", "target": null }, { "id": "NodeStealer", "display_name": "NodeStealer", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 319, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 131, "URL": 5, "domain": 3, "hostname": 3 }, "indicator_count": 162, "is_author": false, "is_subscribing": null, "subscriber_count": 254, "modified_text": "1033 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ca1f64ffaf904baf653e31", "name": "New NodeStealer Variant Targeting Facebook Business Accounts and Crypto Wallets", "description": "Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer that's equipped to fully take over Facebook business accounts as well as siphon cryptocurrency. \nThe attacks start with messages on Facebook that claim to offer free \"professional\" budget tracking Microsoft Excel and Google Sheets templates, tricking victims to download a ZIP archive file hosted on Google Drive. \nThe ZIP file is designed to download additional malware such as BitRAT and XWorm in the form of ZIP files, disable Microsoft Defender Antivirus, and carry out crypto theft by using MetaMask credentials from Google Chrome, C\u1ed1c C\u1ed1c, and Brave web browsers.", "modified": "2023-08-02T09:18:28.377000", "created": "2023-08-02T09:18:28.377000", "tags": [ "nodestealer", "variant", "cortex xdr", "facebook", "metamask", "meta", "unit", "palo alto", "networks", "graph api", "bitrat", "alliance", "april", "python", "defender", "powershell", "xworm", "main", "code", "ducktail", "phishing", "peguis", "hvnc", "toggledefender", "vietnamese" ], "references": [ "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "Peguis", "display_name": "Peguis", "target": null }, { "id": "hVNC", "display_name": "hVNC", "target": null }, { "id": "ToggleDefender", "display_name": "ToggleDefender", "target": null }, { "id": "Vietnamese", "display_name": "Vietnamese", "target": null }, { "id": "NodeStealer", "display_name": "NodeStealer", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 131, "URL": 5, "domain": 3, "hostname": 3 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1033 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ca1677cdd7bd51c50abde1", "name": "NodeStealer 2.0 \u2013 The Python Version: Stealing Facebook Business Accounts", "description": "A previously unreported phishing campaign targeting Facebook business accounts has been uncovered by researchers at Unit 42, a Palo Alto Networks research team. the firm has identified a new form of the malware known as NodeStealer.", "modified": "2023-08-02T08:40:23.187000", "created": "2023-08-02T08:40:23.187000", "tags": [ "nodestealer", "variant", "cortex xdr", "facebook", "metamask", "meta", "unit", "palo alto", "networks", "graph api", "bitrat", "alliance", "april", "python", "defender", "powershell", "xworm", "main", "code", "ducktail", "phishing", "peguis", "hvnc", "toggledefender", "vietnamese" ], "references": [ "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "Peguis", "display_name": "Peguis", "target": null }, { "id": "hVNC", "display_name": "hVNC", "target": null }, { "id": "ToggleDefender", "display_name": "ToggleDefender", "target": null }, { "id": "Vietnamese", "display_name": "Vietnamese", "target": null }, { "id": "NodeStealer", "display_name": "NodeStealer", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 131, "URL": 7, "domain": 3, "hostname": 3 }, "indicator_count": 162, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1033 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://gbhackers.com/phishing-facebook-business-account/", "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/", "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/#post-129362-_ydqdbjg0dngh" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Toggledefender", "Vietnamese", "Peguis", "Hvnc", "Nodestealer", "Phishing" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "64c9624677d427f6f94ef691", "name": "NodeStealer 2.0 \u2013 The Python Version: Stealing Facebook Business Accounts", "description": "Unit 42 researchers have recently discovered a previously unreported phishing campaign that distributed an infostealer equipped to fully take over Facebook business accounts. Facebook business accounts were targeted with a phishing lure offering tools such as spreadsheet templates for business. This is part of a growing trend of threat actors targeting Facebook business accounts \u2013 for advertising fraud and other purposes \u2013 which emerged around July 2022 with the discovery of the Ducktail infostealer.", "modified": "2023-08-01T19:51:33.489000", "created": "2023-08-01T19:51:33.489000", "tags": [ "NodeStealer", "Facebook", "MetaMask", "infostealer", "Microsoft Office" ], "references": [ "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 427, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 131, "domain": 3, "hostname": 3 }, "indicator_count": 153, "is_author": false, "is_subscribing": null, "subscriber_count": 386557, "modified_text": "1033 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654138435c5832ca2c4028f", "name": "DOH Domains IOCs", "description": "The following is a full list of items that you might not have known existed::..com, or, if you were interested in them, are the most likely ones to come up with", "modified": "2024-08-26T04:12:43.497000", "created": "2024-05-27T05:00:52.918000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 1335, "hostname": 667 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d0b2e266c6bac10e3d3622", "name": "NodeStealer 2.0 \u2013 The Python Version I", "description": "NodeStealer is an information-stealing malware that primarily targets Facebook business accounts and cryptocurrency wallets. It has been active since at least July 2022 and was first exposed by Meta in May 2023. The malware is distributed through various methods, including downloading and extracting files, and it sets persistence by adding registry run keys", "modified": "2023-08-07T09:01:22.938000", "created": "2023-08-07T09:01:22.938000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "almendra", "id": "229521", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 53, "domain": 3, "hostname": 3 }, "indicator_count": 68, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "1028 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64cd59c2c274737f92b50c31", "name": "NodeStealer 2.0 \u2013 The Python Version: Stealing Facebook Business Accounts", "description": "A previously unreported phishing campaign targeting Facebook business accounts has been uncovered by Unit 42 researchers, who have identified new variants of the steal-stealing malware known as NodeStealer 2.0.", "modified": "2023-08-04T20:04:18.800000", "created": "2023-08-04T20:04:18.800000", "tags": [ "nodestealer", "variant", "cortex xdr", "facebook", "metamask", "meta", "unit", "palo alto", "networks", "graph api", "bitrat", "alliance", "april", "python", "defender", "powershell", "xworm", "main", "code", "ducktail", "phishing", "peguis", "hvnc", "toggledefender", "vietnamese" ], "references": [ "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/#post-129362-_ydqdbjg0dngh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "Peguis", "display_name": "Peguis", "target": null }, { "id": "hVNC", "display_name": "hVNC", "target": null }, { "id": "ToggleDefender", "display_name": "ToggleDefender", "target": null }, { "id": "Vietnamese", "display_name": "Vietnamese", "target": null }, { "id": "NodeStealer", "display_name": "NodeStealer", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "arringtont", "id": "6086", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_6086/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 131, "URL": 5, "domain": 3, "hostname": 3 }, "indicator_count": 162, "is_author": false, "is_subscribing": null, "subscriber_count": 104, "modified_text": "1030 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ca95727609fc21388041a6", "name": "VTA- Phishing Attack Targets Facebook Business Users Account", "description": "Recently unreported phishing campaign that distributed an infostealer equipped to fully take over Facebook business accounts. Facebook business accounts were targeted with a phishing lure offering tools such as spreadsheet templates for business.", "modified": "2023-08-02T17:42:10.632000", "created": "2023-08-02T17:42:10.632000", "tags": [ "nodestealer", "google chrome", "brave", "december", "meta", "facebook", "python version", "windows system", "january", "microsoft edge", "ducktail", "twitter", "variant", "cortex xdr", "metamask", "unit", "palo alto", "networks", "graph api", "bitrat", "alliance", "april", "python", "defender", "powershell", "xworm", "main", "code", "phishing", "peguis", "hvnc", "toggledefender", "vietnamese" ], "references": [ "https://gbhackers.com/phishing-facebook-business-account/", "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "Peguis", "display_name": "Peguis", "target": null }, { "id": "hVNC", "display_name": "hVNC", "target": null }, { "id": "ToggleDefender", "display_name": "ToggleDefender", "target": null }, { "id": "Vietnamese", "display_name": "Vietnamese", "target": null }, { "id": "NodeStealer", "display_name": "NodeStealer", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 319, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 131, "URL": 5, "domain": 3, "hostname": 3 }, "indicator_count": 162, "is_author": false, "is_subscribing": null, "subscriber_count": 254, "modified_text": "1033 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ca1f64ffaf904baf653e31", "name": "New NodeStealer Variant Targeting Facebook Business Accounts and Crypto Wallets", "description": "Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer that's equipped to fully take over Facebook business accounts as well as siphon cryptocurrency. \nThe attacks start with messages on Facebook that claim to offer free \"professional\" budget tracking Microsoft Excel and Google Sheets templates, tricking victims to download a ZIP archive file hosted on Google Drive. \nThe ZIP file is designed to download additional malware such as BitRAT and XWorm in the form of ZIP files, disable Microsoft Defender Antivirus, and carry out crypto theft by using MetaMask credentials from Google Chrome, C\u1ed1c C\u1ed1c, and Brave web browsers.", "modified": "2023-08-02T09:18:28.377000", "created": "2023-08-02T09:18:28.377000", "tags": [ "nodestealer", "variant", "cortex xdr", "facebook", "metamask", "meta", "unit", "palo alto", "networks", "graph api", "bitrat", "alliance", "april", "python", "defender", "powershell", "xworm", "main", "code", "ducktail", "phishing", "peguis", "hvnc", "toggledefender", "vietnamese" ], "references": [ "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "Peguis", "display_name": "Peguis", "target": null }, { "id": "hVNC", "display_name": "hVNC", "target": null }, { "id": "ToggleDefender", "display_name": "ToggleDefender", "target": null }, { "id": "Vietnamese", "display_name": "Vietnamese", "target": null }, { "id": "NodeStealer", "display_name": "NodeStealer", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 131, "URL": 5, "domain": 3, "hostname": 3 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1033 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ca1677cdd7bd51c50abde1", "name": "NodeStealer 2.0 \u2013 The Python Version: Stealing Facebook Business Accounts", "description": "A previously unreported phishing campaign targeting Facebook business accounts has been uncovered by researchers at Unit 42, a Palo Alto Networks research team. the firm has identified a new form of the malware known as NodeStealer.", "modified": "2023-08-02T08:40:23.187000", "created": "2023-08-02T08:40:23.187000", "tags": [ "nodestealer", "variant", "cortex xdr", "facebook", "metamask", "meta", "unit", "palo alto", "networks", "graph api", "bitrat", "alliance", "april", "python", "defender", "powershell", "xworm", "main", "code", "ducktail", "phishing", "peguis", "hvnc", "toggledefender", "vietnamese" ], "references": [ "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "Peguis", "display_name": "Peguis", "target": null }, { "id": "hVNC", "display_name": "hVNC", "target": null }, { "id": "ToggleDefender", "display_name": "ToggleDefender", "target": null }, { "id": "Vietnamese", "display_name": "Vietnamese", "target": null }, { "id": "NodeStealer", "display_name": "NodeStealer", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 131, "URL": 7, "domain": 3, "hostname": 3 }, "indicator_count": 162, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1033 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "dongvanfb.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "dongvanfb.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780250817.184668 }