Friday, January 24, 2025
HomeCyber AttackHackers Using Facebook Ads to Attack Critical Infrastructure Employees

Hackers Using Facebook Ads to Attack Critical Infrastructure Employees

Published on

SIEM as a Service

Follow Us on Google News

A new information stealer has been recently found by cybersecurity researchers at Morphisec which is called “SYS01stealer.” This stealer primarily targets entities from the following critical infrastructures:-

  • Infrastructure employees
  • Manufacturing companies
  • Other critical sectors

The Morphisec intelligence team has been tracking this advanced information stealer since November 2022. As part of this campaign, the threat actors are using Google ads and bogus Facebook profiles to target Facebook business accounts and advertise things such as:-

  • Games
  • Adult content
  • Cracked software
  • Movies/Series

In this way, they lure the victim and make them download malicious files. In the attack, sensitive information is intended to be stolen, including the following:- 

  • Login data
  • Cookies
  • Facebook ad account information
  • Facebook business account information

It was initially believed that the campaign was linked to the Ducktail cybercrime operation, which was financially motivated. 

Hackers Using Facebook Ads

In order to begin the attack, a fake Facebook profile or advertisement is used as a lure to lure victims into clicking on a URL. By clicking on this URL, the attackers make the victim download a ZIP file that is supposed to have the following items:-

  • Application
  • Game
  • Movie/Series

There are two parts under which the complete infection chain is divided, and they are as follows:-

  • The loader
  • The Inno-Setup installer

Loaders are normally legitimate C# applications that might be vulnerable to a side-loading vulnerability due to their side-loading behavior. A malicious DLL file is hidden within the application, which is eventually side-loaded for infection. 

It was found that Western Digital’s WDSyncService.exe and Garmin’s ElevatedInstaller.exe were some of the applications that were exploited to side-load the malicious DLL file.

While apart from this, the Python and Rust-based intermediate executables are sometimes deployed through side-loaded DLL. 

It is important to remember that no matter what approach is taken to reach the delivery of an installer, all roads lead there. Here the SYS01stealer is a PHP-based malware that is dropped and executed by this installer.

Browsers Affected

The stealer stealthily harvests the Facebook cookies from the web browsers that run on Chromium, which is the most popular browser. And here below we have mentioned the names of web browsers that are based on Chromium:-

  • Google Chrome
  • Microsoft Edge
  • Brave
  • Opera
  • Vivaldi

As a result, all of the victim’s Facebook information is transferred to a remote server, as well as arbitrary files are downloaded and executed.

  • In addition to this, it has the following capabilities: 
  • Connect the C2 server to the infected host and upload the files.
  • Follow the commands and instructions provided by the server.
  • As soon as a new version is released, it will update itself.

Recommendation

In order to trick Windows systems into loading malicious code, DLL side-loading is an extremely effective technique. During the loading process of an application in memory, if the order of search isn’t adhered to, the malicious file will be loaded in preference to the legitimate file.

This allows threat actors to execute malicious payloads even when legitimate, trusted applications are hijacked.

It is important to implement a zero-trust policy and limit the user’s rights when it comes to downloading and installing programs in order to help prevent the SYS01 stealer.

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

KEYPLUG Infrastructure Exposed: Server Configurations and TLS Certificates Revealed

In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to...