Follow on X RSS Feed
Malware

SYS01 Malware Exploits Meta Business Ads to Steal Credentials

Cybersec Sentinel

2 min read
SYS01 Malware Exploits Meta Business Ads to Steal Credentials

Threat Overview

Threat Group: Unknown, suspected Rilide malware affiliates
Threat Type: Infostealer Malware
Exploited Vulnerabilities: Browser credential storage, Facebook account access, Windows Task Scheduler
Malware Used: SYS01 Infostealer
Threat Score: High (8.5/10) — Due to sophisticated targeting of widely-used platforms, persistent evasion tactics, and expansive reach
Last Threat Observation: November 2024

Overview

A newly observed malvertising campaign is using SYS01 infostealer to exploit Meta's advertising platform, targeting Facebook business accounts, especially from trusted brands and applications to target senior male demographics. Distributed via thousands of deceptive advertisements, SYS01 infostealer gathers personal and account credentials. This campaign employs advanced methods to evade detection, including sandbox avoidance, multiple domains, and dynamic command-and-control (C2) retrieval through Telegram and Google.

Key Details

  • Delivery Method: Malicious Facebook ads impersonating trusted brands and software
  • Target: Primarily Facebook business accounts and browser-stored credentials
  • Functions:
    • Credential and session data theft from browsers
    • Exfiltration of Facebook business account details for account takeover
    • Persistent infection via Windows Task Scheduler
    • Obfuscation using Electron-based apps, JavaScript, and PowerShell
    • Communication with C2 servers via HTTP and Telegram bots
  • Obfuscation: PowerShell, JavaScript in Electron apps, right-to-left override for file names

Attack Vectors

SYS01 employs the following attack methodologies:

  • Malvertising via Facebook: Using malicious ads that seem legitimate due to impersonation of popular brands, the campaign reaches millions of users.
  • Infection Chain: ZIP files with embedded Electron applications sideload malicious DLLs and execute obfuscated JavaScript and PowerShell scripts.
  • Persistence: Established using Windows Task Scheduler with scheduled tasks and registry run keys.
  • Dynamic C2 Domain Retrieval: Uses Telegram bots and Google pages to identify active C2 servers, allowing the malware to adapt to takedowns.
  • Advanced Evasion: Detects virtualized environments to evade analysis, disabling behavior if sandboxed.

Known Indicators of Compromise (IoCs)

  • File Hashes: Variable due to frequent updates and encryption.
  • Malicious URLs:
    • hxxps://enorgutic[.]top
    • hxxps://eviralmedia[.]com
    • hxxps://gerymedia[.]com
    • hxxps://goodsuccessmedia[.]com
    • hxxps://kimiclass[.]com
    • hxxps://krouki[.]com
    • hxxps://lucielarouche[.]com
    • hxxps://matcrogir[.]top
    • hxxps://musament[.]top
    • hxxps://ostimatu[.]top
    • hxxps://socialworldmedia[.]com
    • hxxps://superpackmedia[.]com
    • hxxps://ubrosive[.]top
    • hxxps://untratem[.]top
    • hxxps://wakomedia[.]com
    • hxxps://wegoodmedia[.]com
    • hxxps://wrust[.]top
  • Malicious Domains:
    • eviralmedia[.]com
    • gerymedia[.]com
    • goodsuccessmedia[.]com
    • kimiclass[.]com
    • krouki[.]com
    • socialworldmedia[.]com
    • superpackmedia[.]com
    • wakomedia[.]com
    • wegoodmedia[.]com

Mitigation and Prevention

  1. User Awareness: Train employees to identify potentially harmful ads and suspicious downloads.
  2. Ad Monitoring and Filtering: Implement tools to scrutinize ad content on social media for indicators of malicious intent.
  3. Endpoint Protection: Ensure up-to-date antivirus tools to detect and block PowerShell and DLL sideloading abuses.
  4. Two-Factor Authentication (2FA): Enable 2FA on Facebook and other essential platforms.
  5. System and Software Updates: Regularly update operating systems and browser software.
  6. Log Monitoring and Anomaly Detection: Monitor for unusual task scheduling or registry changes indicating persistence.

Podcast Discussion

In our latest episode, cybersecurity experts discuss SYS01 infostealer’s tactics, including malvertising and persistence, and share strategies for social media account security and proactive detection.

Conclusion

SYS01 infostealer continues to demonstrate evolving evasion and persistence techniques, posing a significant threat to Facebook business accounts and browser-stored credentials. Organizations should stay vigilant, implement layered defenses, and reinforce social media security measures to mitigate this advanced malvertising campaign.

Sources

  1. Bitdefender: Unmasking the SYS01 Infostealer Threat: Bitdefender Labs Tracks Global Malvertising Campaign Targeting Meta Business Pages.
  2. AlienVault: InfoStealer Malware Attacking Meta Business Page To Steal Logins.
  3. Trustwave SpiderLabs: SYS01 and Rilide Linked to Same Actor