SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to distribute the SYS01 InfoStealer through ElectronJs applications disguised as legitimate software like video editors, productivity tools, and streaming services. 

The campaign leverages nearly a hundred malicious domains for distribution and C2 operations, targeting a global audience, especially males aged 45 and above. 

Threat actors continuously update the malware with enhanced obfuscation techniques to evade detection, making it a persistent and sophisticated threat.

Cybercriminals have launched a widespread ad campaign targeting senior men, impersonating various popular software and services by distributing infostealers disguised as legitimate downloads for productivity tools, video editors, VPNs, streaming platforms, messaging apps, and even video games. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

By leveraging many impersonated entities and extensive ad distribution, the attackers aim to reach millions of potential victims, increasing the likelihood of successful infections.

The SYS01 Infostealer campaign uses malvertising to distribute malicious Electron apps disguised as legitimate software. Once downloaded and executed, these apps drop and execute additional malware. 

The infection process includes extracting password-protected archives, deobfuscating code written in JavaScript, and using scripts written in PowerShell. 

The malware’s execution is a chance on the victim’s system not being in a sandbox environment, as determined by GPU model checks, as the final stage involves executing a PHP script to complete the malicious activity. 

The IonCube-encoded PHP malware establishes persistence through Task Scheduler, creating tasks for periodic execution and user logon triggers.

The primary malicious script, index.php, accesses sensitive information, including browser cookies and Facebook data. 

It communicates with C2 servers, potentially using Telegram bots and Google Pages for dynamic C2 acquisition, which suggests a focus on data exfiltration and potential account compromise.

The Infostealer malware communicates with a C2 server to receive custom commands, including “get_ck_all,” which triggers the malware to extract cookies and tokens from specified browsers. 

The C2 server also provides Meta Graph API calls, enabling the malware to gather information about the victim’s Facebook accounts.

This information is potentially valuable on the dark web and highlights the malware’s primary goal of compromising Facebook accounts for malicious purposes.

According to Bitdefender, the SYS01 Infostealer campaign is a sophisticated threat that leverages advanced evasion techniques to bypass security measures. It uses hijacked Facebook accounts to distribute malicious ads, scaling the attack and evading detection. 

The stolen credentials from these attacks are then sold on underground markets, generating revenue for the cybercriminals. This allows for an autonomous and profitable operation, making the threat persistent and dangerous. 

To safeguard against threats like SYS01, exercise caution when clicking on ads, especially those promising free downloads. Always download software from official sources and employ robust security software with regular updates. 

Enable two-factor authentication on the Facebook account, especially for business purposes, and monitor your accounts for anomalies. Promptly report any suspicious activity to Facebook and change the login credentials.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!