Hackers Using Facebook Ads to Attack Critical Infrastructure Employees

A new information stealer has been recently found by cybersecurity researchers at Morphisec which is called “SYS01stealer.” This stealer primarily targets entities from the following critical infrastructures:-

• Infrastructure employees
• Manufacturing companies
• Other critical sectors

The Morphisec intelligence team has been tracking this advanced information stealer since November 2022. As part of this campaign, the threat actors are using Google ads and bogus Facebook profiles to target Facebook business accounts and advertise things such as:-

• Games
• Adult content
• Cracked software
• Movies/Series

In this way, they lure the victim and make them download malicious files. In the attack, sensitive information is intended to be stolen, including the following:- 

• Login data
• Cookies
• Facebook ad account information
• Facebook business account information

It was initially believed that the campaign was linked to the Ducktail cybercrime operation, which was financially motivated. 

Hackers Using Facebook Ads

In order to begin the attack, a fake Facebook profile or advertisement is used as a lure to lure victims into clicking on a URL. By clicking on this URL, the attackers make the victim download a ZIP file that is supposed to have the following items:-

• Application
• Game
• Movie/Series

There are two parts under which the complete infection chain is divided, and they are as follows:-

• The loader
• The Inno-Setup installer

Loaders are normally legitimate C# applications that might be vulnerable to a side-loading vulnerability due to their side-loading behavior. A malicious DLL file is hidden within the application, which is eventually side-loaded for infection. 

It was found that Western Digital’s WDSyncService.exe and Garmin’s ElevatedInstaller.exe were some of the applications that were exploited to side-load the malicious DLL file.

While apart from this, the Python and Rust-based intermediate executables are sometimes deployed through side-loaded DLL. 

It is important to remember that no matter what approach is taken to reach the delivery of an installer, all roads lead there. Here the SYS01stealer is a PHP-based malware that is dropped and executed by this installer.

Browsers Affected

The stealer stealthily harvests the Facebook cookies from the web browsers that run on Chromium, which is the most popular browser. And here below we have mentioned the names of web browsers that are based on Chromium:-

• Google Chrome
• Microsoft Edge
• Brave
• Opera
• Vivaldi

As a result, all of the victim’s Facebook information is transferred to a remote server, as well as arbitrary files are downloaded and executed.

• In addition to this, it has the following capabilities:
• Connect the C2 server to the infected host and upload the files.
• Follow the commands and instructions provided by the server.
• As soon as a new version is released, it will update itself.

Recommendation

In order to trick Windows systems into loading malicious code, DLL side-loading is an extremely effective technique. During the loading process of an application in memory, if the order of search isn’t adhered to, the malicious file will be loaded in preference to the legitimate file.

This allows threat actors to execute malicious payloads even when legitimate, trusted applications are hijacked.

It is important to implement a zero-trust policy and limit the user’s rights when it comes to downloading and installing programs in order to help prevent the SYS01 stealer.

Network Security Checklist – Download Free E-Book