Saturday, June 15, 2024

Hackers Using Facebook Ads to Attack Critical Infrastructure Employees

A new information stealer has been recently found by cybersecurity researchers at Morphisec which is called “SYS01stealer.” This stealer primarily targets entities from the following critical infrastructures:-

  • Infrastructure employees
  • Manufacturing companies
  • Other critical sectors

The Morphisec intelligence team has been tracking this advanced information stealer since November 2022. As part of this campaign, the threat actors are using Google ads and bogus Facebook profiles to target Facebook business accounts and advertise things such as:-

  • Games
  • Adult content
  • Cracked software
  • Movies/Series

In this way, they lure the victim and make them download malicious files. In the attack, sensitive information is intended to be stolen, including the following:- 

  • Login data
  • Cookies
  • Facebook ad account information
  • Facebook business account information

It was initially believed that the campaign was linked to the Ducktail cybercrime operation, which was financially motivated. 

Hackers Using Facebook Ads

In order to begin the attack, a fake Facebook profile or advertisement is used as a lure to lure victims into clicking on a URL. By clicking on this URL, the attackers make the victim download a ZIP file that is supposed to have the following items:-

  • Application
  • Game
  • Movie/Series

There are two parts under which the complete infection chain is divided, and they are as follows:-

  • The loader
  • The Inno-Setup installer

Loaders are normally legitimate C# applications that might be vulnerable to a side-loading vulnerability due to their side-loading behavior. A malicious DLL file is hidden within the application, which is eventually side-loaded for infection. 

It was found that Western Digital’s WDSyncService.exe and Garmin’s ElevatedInstaller.exe were some of the applications that were exploited to side-load the malicious DLL file.

While apart from this, the Python and Rust-based intermediate executables are sometimes deployed through side-loaded DLL. 

It is important to remember that no matter what approach is taken to reach the delivery of an installer, all roads lead there. Here the SYS01stealer is a PHP-based malware that is dropped and executed by this installer.

Browsers Affected

The stealer stealthily harvests the Facebook cookies from the web browsers that run on Chromium, which is the most popular browser. And here below we have mentioned the names of web browsers that are based on Chromium:-

  • Google Chrome
  • Microsoft Edge
  • Brave
  • Opera
  • Vivaldi

As a result, all of the victim’s Facebook information is transferred to a remote server, as well as arbitrary files are downloaded and executed.

  • In addition to this, it has the following capabilities: 
  • Connect the C2 server to the infected host and upload the files.
  • Follow the commands and instructions provided by the server.
  • As soon as a new version is released, it will update itself.


In order to trick Windows systems into loading malicious code, DLL side-loading is an extremely effective technique. During the loading process of an application in memory, if the order of search isn’t adhered to, the malicious file will be loaded in preference to the legitimate file.

This allows threat actors to execute malicious payloads even when legitimate, trusted applications are hijacked.

It is important to implement a zero-trust policy and limit the user’s rights when it comes to downloading and installing programs in order to help prevent the SYS01 stealer.

Network Security Checklist – Download Free E-Book


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles