Saturday, December 7, 2024
HomeCyber Security NewsSYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

Published on

SIEM as a Service

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to distribute the SYS01 InfoStealer through ElectronJs applications disguised as legitimate software like video editors, productivity tools, and streaming services. 

The campaign leverages nearly a hundred malicious domains for distribution and C2 operations, targeting a global audience, especially males aged 45 and above. 

Threat actors continuously update the malware with enhanced obfuscation techniques to evade detection, making it a persistent and sophisticated threat.

- Advertisement - SIEM as a Service
Impersonating as Netflix
Impersonating as Netflix

Cybercriminals have launched a widespread ad campaign targeting senior men, impersonating various popular software and services by distributing infostealers disguised as legitimate downloads for productivity tools, video editors, VPNs, streaming platforms, messaging apps, and even video games. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

By leveraging many impersonated entities and extensive ad distribution, the attackers aim to reach millions of potential victims, increasing the likelihood of successful infections.

The SYS01 Infostealer campaign uses malvertising to distribute malicious Electron apps disguised as legitimate software. Once downloaded and executed, these apps drop and execute additional malware. 

.zip archive which contains an Electron application
.zip archive which contains an Electron application

The infection process includes extracting password-protected archives, deobfuscating code written in JavaScript, and using scripts written in PowerShell. 

The malware’s execution is a chance on the victim’s system not being in a sandbox environment, as determined by GPU model checks, as the final stage involves executing a PHP script to complete the malicious activity. 

The IonCube-encoded PHP malware establishes persistence through Task Scheduler, creating tasks for periodic execution and user logon triggers.

The primary malicious script, index.php, accesses sensitive information, including browser cookies and Facebook data. 

Php sample
Php sample

It communicates with C2 servers, potentially using Telegram bots and Google Pages for dynamic C2 acquisition, which suggests a focus on data exfiltration and potential account compromise.

The Infostealer malware communicates with a C2 server to receive custom commands, including “get_ck_all,” which triggers the malware to extract cookies and tokens from specified browsers. 

The C2 server also provides Meta Graph API calls, enabling the malware to gather information about the victim’s Facebook accounts.

This information is potentially valuable on the dark web and highlights the malware’s primary goal of compromising Facebook accounts for malicious purposes.

 C2 response
 C2 response

According to Bitdefender, the SYS01 Infostealer campaign is a sophisticated threat that leverages advanced evasion techniques to bypass security measures. It uses hijacked Facebook accounts to distribute malicious ads, scaling the attack and evading detection. 

The stolen credentials from these attacks are then sold on underground markets, generating revenue for the cybercriminals. This allows for an autonomous and profitable operation, making the threat persistent and dangerous. 

To safeguard against threats like SYS01, exercise caution when clicking on ads, especially those promising free downloads. Always download software from official sources and employ robust security software with regular updates. 

Enable two-factor authentication on the Facebook account, especially for business purposes, and monitor your accounts for anomalies. Promptly report any suspicious activity to Facebook and change the login credentials.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...