Cyber Security News

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to distribute the SYS01 InfoStealer through ElectronJs applications disguised as legitimate software like video editors, productivity tools, and streaming services. 

The campaign leverages nearly a hundred malicious domains for distribution and C2 operations, targeting a global audience, especially males aged 45 and above. 

Threat actors continuously update the malware with enhanced obfuscation techniques to evade detection, making it a persistent and sophisticated threat.

Impersonating as Netflix

Cybercriminals have launched a widespread ad campaign targeting senior men, impersonating various popular software and services by distributing infostealers disguised as legitimate downloads for productivity tools, video editors, VPNs, streaming platforms, messaging apps, and even video games. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

By leveraging many impersonated entities and extensive ad distribution, the attackers aim to reach millions of potential victims, increasing the likelihood of successful infections.

The SYS01 Infostealer campaign uses malvertising to distribute malicious Electron apps disguised as legitimate software. Once downloaded and executed, these apps drop and execute additional malware. 

.zip archive which contains an Electron application

The infection process includes extracting password-protected archives, deobfuscating code written in JavaScript, and using scripts written in PowerShell

The malware’s execution is a chance on the victim’s system not being in a sandbox environment, as determined by GPU model checks, as the final stage involves executing a PHP script to complete the malicious activity. 

The IonCube-encoded PHP malware establishes persistence through Task Scheduler, creating tasks for periodic execution and user logon triggers.

The primary malicious script, index.php, accesses sensitive information, including browser cookies and Facebook data. 

Php sample

It communicates with C2 servers, potentially using Telegram bots and Google Pages for dynamic C2 acquisition, which suggests a focus on data exfiltration and potential account compromise.

The Infostealer malware communicates with a C2 server to receive custom commands, including “get_ck_all,” which triggers the malware to extract cookies and tokens from specified browsers. 

The C2 server also provides Meta Graph API calls, enabling the malware to gather information about the victim’s Facebook accounts.

This information is potentially valuable on the dark web and highlights the malware’s primary goal of compromising Facebook accounts for malicious purposes.

C2 response

According to Bitdefender, the SYS01 Infostealer campaign is a sophisticated threat that leverages advanced evasion techniques to bypass security measures. It uses hijacked Facebook accounts to distribute malicious ads, scaling the attack and evading detection. 

The stolen credentials from these attacks are then sold on underground markets, generating revenue for the cybercriminals. This allows for an autonomous and profitable operation, making the threat persistent and dangerous. 

To safeguard against threats like SYS01, exercise caution when clicking on ads, especially those promising free downloads. Always download software from official sources and employ robust security software with regular updates. 

Enable two-factor authentication on the Facebook account, especially for business purposes, and monitor your accounts for anomalies. Promptly report any suspicious activity to Facebook and change the login credentials.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

16 hours ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

16 hours ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

16 hours ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

16 hours ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

2 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

2 days ago