Thursday, December 26, 2024
HomeCyber AttackHackers Using Facebook Ads to Attack Critical Infrastructure Employees

Hackers Using Facebook Ads to Attack Critical Infrastructure Employees

Published on

SIEM as a Service

A new information stealer has been recently found by cybersecurity researchers at Morphisec which is called “SYS01stealer.” This stealer primarily targets entities from the following critical infrastructures:-

  • Infrastructure employees
  • Manufacturing companies
  • Other critical sectors

The Morphisec intelligence team has been tracking this advanced information stealer since November 2022. As part of this campaign, the threat actors are using Google ads and bogus Facebook profiles to target Facebook business accounts and advertise things such as:-

  • Games
  • Adult content
  • Cracked software
  • Movies/Series

In this way, they lure the victim and make them download malicious files. In the attack, sensitive information is intended to be stolen, including the following:- 

- Advertisement - SIEM as a Service
  • Login data
  • Cookies
  • Facebook ad account information
  • Facebook business account information

It was initially believed that the campaign was linked to the Ducktail cybercrime operation, which was financially motivated. 

Hackers Using Facebook Ads

In order to begin the attack, a fake Facebook profile or advertisement is used as a lure to lure victims into clicking on a URL. By clicking on this URL, the attackers make the victim download a ZIP file that is supposed to have the following items:-

  • Application
  • Game
  • Movie/Series

There are two parts under which the complete infection chain is divided, and they are as follows:-

  • The loader
  • The Inno-Setup installer

Loaders are normally legitimate C# applications that might be vulnerable to a side-loading vulnerability due to their side-loading behavior. A malicious DLL file is hidden within the application, which is eventually side-loaded for infection. 

It was found that Western Digital’s WDSyncService.exe and Garmin’s ElevatedInstaller.exe were some of the applications that were exploited to side-load the malicious DLL file.

While apart from this, the Python and Rust-based intermediate executables are sometimes deployed through side-loaded DLL. 

It is important to remember that no matter what approach is taken to reach the delivery of an installer, all roads lead there. Here the SYS01stealer is a PHP-based malware that is dropped and executed by this installer.

Browsers Affected

The stealer stealthily harvests the Facebook cookies from the web browsers that run on Chromium, which is the most popular browser. And here below we have mentioned the names of web browsers that are based on Chromium:-

  • Google Chrome
  • Microsoft Edge
  • Brave
  • Opera
  • Vivaldi

As a result, all of the victim’s Facebook information is transferred to a remote server, as well as arbitrary files are downloaded and executed.

  • In addition to this, it has the following capabilities: 
  • Connect the C2 server to the infected host and upload the files.
  • Follow the commands and instructions provided by the server.
  • As soon as a new version is released, it will update itself.

Recommendation

In order to trick Windows systems into loading malicious code, DLL side-loading is an extremely effective technique. During the loading process of an application in memory, if the order of search isn’t adhered to, the malicious file will be loaded in preference to the legitimate file.

This allows threat actors to execute malicious payloads even when legitimate, trusted applications are hijacked.

It is important to implement a zero-trust policy and limit the user’s rights when it comes to downloading and installing programs in order to help prevent the SYS01 stealer.

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Researchers Uncovered Dark Web Operation Acquiring KYC Details

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which...

Adobe Warns of ColdFusion Vulnerability Allows Attackers Read arbitrary files

Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to...

Beware of New Malicious PyPI packages That Steals Login Details

Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, were recently detected by Fortinet's AI-driven OSS...

Brazilian Hacker Arrested Hacking Computers & Selling Data

A Brazilian man, Junior Barros De Oliveira, has been charged with multiple counts of...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Researchers Uncovered Dark Web Operation Acquiring KYC Details

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which...

Adobe Warns of ColdFusion Vulnerability Allows Attackers Read arbitrary files

Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to...

Beware of New Malicious PyPI packages That Steals Login Details

Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, were recently detected by Fortinet's AI-driven OSS...