Cyber Security News

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to distribute the SYS01 InfoStealer through ElectronJs applications disguised as legitimate software like video editors, productivity tools, and streaming services. 

The campaign leverages nearly a hundred malicious domains for distribution and C2 operations, targeting a global audience, especially males aged 45 and above. 

Threat actors continuously update the malware with enhanced obfuscation techniques to evade detection, making it a persistent and sophisticated threat.

Impersonating as Netflix

Cybercriminals have launched a widespread ad campaign targeting senior men, impersonating various popular software and services by distributing infostealers disguised as legitimate downloads for productivity tools, video editors, VPNs, streaming platforms, messaging apps, and even video games. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

By leveraging many impersonated entities and extensive ad distribution, the attackers aim to reach millions of potential victims, increasing the likelihood of successful infections.

The SYS01 Infostealer campaign uses malvertising to distribute malicious Electron apps disguised as legitimate software. Once downloaded and executed, these apps drop and execute additional malware. 

.zip archive which contains an Electron application

The infection process includes extracting password-protected archives, deobfuscating code written in JavaScript, and using scripts written in PowerShell

The malware’s execution is a chance on the victim’s system not being in a sandbox environment, as determined by GPU model checks, as the final stage involves executing a PHP script to complete the malicious activity. 

The IonCube-encoded PHP malware establishes persistence through Task Scheduler, creating tasks for periodic execution and user logon triggers.

The primary malicious script, index.php, accesses sensitive information, including browser cookies and Facebook data. 

Php sample

It communicates with C2 servers, potentially using Telegram bots and Google Pages for dynamic C2 acquisition, which suggests a focus on data exfiltration and potential account compromise.

The Infostealer malware communicates with a C2 server to receive custom commands, including “get_ck_all,” which triggers the malware to extract cookies and tokens from specified browsers. 

The C2 server also provides Meta Graph API calls, enabling the malware to gather information about the victim’s Facebook accounts.

This information is potentially valuable on the dark web and highlights the malware’s primary goal of compromising Facebook accounts for malicious purposes.

C2 response

According to Bitdefender, the SYS01 Infostealer campaign is a sophisticated threat that leverages advanced evasion techniques to bypass security measures. It uses hijacked Facebook accounts to distribute malicious ads, scaling the attack and evading detection. 

The stolen credentials from these attacks are then sold on underground markets, generating revenue for the cybercriminals. This allows for an autonomous and profitable operation, making the threat persistent and dangerous. 

To safeguard against threats like SYS01, exercise caution when clicking on ads, especially those promising free downloads. Always download software from official sources and employ robust security software with regular updates. 

Enable two-factor authentication on the Facebook account, especially for business purposes, and monitor your accounts for anomalies. Promptly report any suspicious activity to Facebook and change the login credentials.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

New RDP Exploit Allows Attackers to Take Over Windows and Browser Sessions

Cybersecurity experts have uncovered a new exploit leveraging the widely used Remote Desktop Protocol (RDP).…

11 minutes ago

New SMS-Based Phishing Tool ‘DevilTraff’ Enables Mass Cyber Attacks

Cybersecurity experts are sounding the alarm about a new SMS-based phishing tool, Devil-Traff, that is…

1 hour ago

DeepSeek Database Publicly Exposed Sensitive Information, Secret Keys & Logs

Experts at Wiz Research have identified a publicly exposed ClickHouse database belonging to DeepSeek, a…

1 hour ago

OPNsense 25.1 Released, What’s New!

The highly anticipated release of OPNsense 25.1 has officially arrived! Nicknamed "Ultimate Unicorn," this update…

2 hours ago

DeepSeek is Now Available With Microsoft Azure AI Foundry

Microsoft has officially added DeepSeek R1, an advanced AI model, to its Azure AI Foundry…

2 hours ago

New Apple SLAP & FLOP Side-Channel Attacks Let Attackers Steal Login Details From Browser

Researchers from the Georgia Institute of Technology and Ruhr University Bochum have uncovered two novel…

14 hours ago