SYS01stealer Malware

Cybersecurity researchers have uncovered an ongoing malvertising campaign that abuses Meta's advertising platform and hijacked Facebook accounts to distribute an information stealer known as SYS01stealer.

"The hackers behind the campaign use trusted brands to expand their reach," Bitdefender Labs said in a report shared with The Hacker News.

"The malvertising campaign leverages nearly a hundred malicious domains, utilized not only for distributing the malware but also for live command and control (C2) operations, allowing threat actors to manage the attack in real-time."

SYS01stealer was first documented by Morphisec in early 2023, describing attack campaigns targeting Facebook business accounts using Google ads and fake Facebook profiles that promote games, adult content, and cracked software.

Like other stealer malware, the end goal is to steal login credentials, browsing history, and cookies. But it's also focused on obtaining Facebook ad and business account data, which is then used to propagate the malware further via phony ads.

"The hijacked Facebook accounts serve as a foundation for scaling up the entire operation," Bitdefender noted. "Each compromised account can be repurposed to promote additional malicious ads, amplifying the reach of the campaign without the hackers needing to create new Facebook accounts themselves."

Cybersecurity

The primary vector through which SYS01stealer is distributed is via malvertising across platforms like Facebook, YouTube, and LinkedIn, with the ads promoting Windows themes, games, AI software, photo editors, VPNs, and movie streaming services. A majority of the Facebook ads are engineered to target men aged 45 and above.

"This effectively lures victims into clicking these ads and having their browser data stolen," Trustwave said in an analysis of the malware in July 2024.

"If there is Facebook-related information in the data, there is a possibility of not only having their browser data stolen but also having their Facebook accounts controlled by the threat actors to further spread malvertisements and continue the cycle."

Users who end up interacting with the ads are redirected to deceptive sites hosted on Google Sites or True Hosting that impersonate legitimate brands and applications in an attempt to initiate the infection. The attacks are also known to use hijacked Facebook accounts to publish fraudulent ads.

SYS01stealer Malware

The first stage payload downloaded from these sites is a ZIP archive that includes a benign executable, which is used to sideload a malicious DLL responsible for decoding and launching the multi-stage process.

This includes running PowerShell commands to prevent the malware from running in a sandboxed environment, modifying Microsoft Defender Antivirus settings to exclude certain paths to avoid detection, and setting up an operating environment to run the PHP-based stealer.

In the latest attack chains observed by the Romanian cybersecurity company, the ZIP archives come embedded with an Electron application, suggesting that the threat actors are continuously evolving their strategies.

SYS01stealer Malware

Also present within the Atom Shell Archive (ASAR) is a JavaScript file ("main.js") that now executes the PowerShell commands to perform sandbox checks and execute the stealer. Persistence on the host is achieved by setting up scheduled tasks.

"The adaptability of the cybercriminals behind these attacks makes the SYS01 infostealer campaign especially dangerous," Bitdefender said. "The malware employs sandbox detection, halting its operations if it detects it's being run in a controlled environment, often used by analysts to examine malware. This allows it to remain undetected in many cases."

"When cybersecurity firms begin to flag and block a specific version of the loader, the hackers respond swiftly by updating the code. They then push out new ads with updated malware that evades the latest security measures."

Phishing Campaigns Abuse Eventbrite

The development comes as Perception Point detailed phishing campaigns that misuse the Eventbrite events and ticketing platform to steal financial or personal information.

The emails, delivered via noreply@events.eventbrite[.]com, prompt users to click on a link to pay an outstanding bill or confirm their package delivery address, after which they are asked to enter their login and credit card details.

The attack itself is made possible by the fact that the threat actors sign up for legitimate accounts on the service and create fake events by abusing the reputation of a known brand, embedding the phishing link within the event description or attachment. The event invite is then sent to their targets.

"Because the email is sent via Eventbrite's verified domain and IP address, it is more likely to pass email filters, successfully reaching the recipient's inbox," Perception Point said.

"The Eventbrite sender domain also increases the likelihood that recipients will open the email and click through to the phishing link. This abuse of Eventbrite's platform enables the attackers to evade detection, ensuring higher delivery and open rates."

Pig Butchering of a Different Kind

Threat hunters are also calling attention to an increase in cryptocurrency fraud that impersonates various organizations to target users with bogus job lures that purportedly allow them to earn money while working from home. The unsolicited messages also claim to represent legitimate brands like Spotify, TikTok, and Temu.

Cybersecurity

The activity commences via social media, SMS, and messaging apps like WhatsApp and Telegram. Users who agree to take up the jobs are instructed by the scammers to register on a malicious website using a referral code, following which they are asked to complete various tasks – submit fake reviews, place product orders, play specific songs on Spotify, or book hotels.

The scam unfolds when victims' fake commission account balance suddenly goes into the negative and they are urged to top up by investing their own cryptocurrency in order to earn bonuses off the tasks.

"This vicious cycle will continue as long as the scammers think the victim will keep paying into the system," Proofpoint researchers said. "If they suspect their victim has become wise to the scam, they will lock their account and ghost them."

The illicit scheme has been attributed with high confidence to threat actors who also conduct pig butchering, which is also known as romance-based cryptocurrency investment fraud.

"The job fraud has smaller but more frequent returns for the fraudsters compared to pig butchering," Proofpoint said. "The activity leverages popular brand recognition in place of a long, romance-based confidence scam."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.