The Meta malvertising campaign, active for over a month, spreads SYS01 InfoStealer by disguising it within ElectronJs apps, presented as legitimate tools like video editors, productivity software, and streaming services.
SYS01 InfoStealer Malware
With nearly 100 malicious domains for distribution and command-and-control (C2) operations, the campaign targets a global audience, focusing especially on men over 45. The malware is regularly updated with new obfuscation methods to bypass security, making it a persistent and sophisticated threat that is difficult to detect and remove.
Cybercriminals are running a large-scale ad campaign that targets older men, pretending to offer well-known software and services by distributing infostealers disguised as legitimate downloads for productivity tools, video editors, VPNs, streaming services, messaging apps, and video games.
By using various impersonated entities and widespread ads, the attackers aim to reach millions of potential victims, raising the chances of successful infections.
The SYS01 Infostealer campaign spreads malicious Electron apps that look like legitimate software. Once these apps are downloaded and run, they install and execute additional malware.
The infection process involves extracting password-protected archives, deobfuscating JavaScript code, and running PowerShell scripts. The malware checks the GPU model to determine if it is running in a sandbox; if not, it executes a PHP script to complete its malicious tasks.
The IonCube-encoded PHP malware gains persistence through Task Scheduler, setting up tasks for regular execution and user logon triggers. The main script, index.php, accesses sensitive information such as browser cookies and Facebook data.
It connects to command-and-control (C2) servers, potentially using Telegram bots and Google Pages, to focus on data exfiltration and account compromise. The Infostealer malware receives commands like “get_ck_all” to extract cookies and tokens from specific browsers.
It also uses Meta Graph API calls to gather information about the victim’s Facebook accounts, highlighting its goal of compromising these accounts for malicious purposes.
Bitdefender reports that the SYS01 Infostealer campaign is a sophisticated threat that uses advanced evasion techniques to bypass security measures. It hijacks Facebook accounts to spread malicious ads, scaling the attack while avoiding detection. Stolen credentials are sold on underground markets, making the operation both autonomous and profitable.
Recommendation
- Be cautious with ads, particularly those offering free downloads.
- Download software only from official sources.
- Use strong security software and keep it updated regularly.
- Enable two-factor authentication on Facebook accounts, especially for business use.
- Monitor your accounts for unusual activity.
- Report any suspicious actions to Facebook.
- Change your login credentials immediately if you notice anything unusual.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment