A group of cybersecurity experts have exposed an ongoing exploit campaign that misuses Meta’s advertisement platform and pirated Facebook accounts to disseminate a threat named SYS01stealer.
“The cyber criminals engaged in this campaign utilize well-known brands to extend their influence,” Bitdefender Labs mentioned in a report exchanged with The Hacker News.
“The exploit campaign relies on close to a hundred harmful domains, not solely for dispersing the malware, but also for real-time command and control (C2) operations, enabling malicious actors to manage the assault instantaneously.”
SYS01stealer was initially documented by Morphisec in early 2023, describing assault campaigns targeting Facebook business accounts utilizing Google advertisements and counterfeit Facebook profiles promoting games, mature content, and cracked software.
Comparable to other theft malware, the primary objective is to purloin login credentials, surfing history, and cookies. However, it additionally focuses on acquiring Facebook ad and business account data, which is subsequently employed to expand the malware further via false advertisements.
“The compromised Facebook accounts act as a base for amplifying the entire operation,” Bitdefender pointed out. “Each breached account can be repurposed to endorse additional harmful ads, extending the reach of the campaign without the need for the cyber criminals to generate new Facebook accounts themselves.”
The primary method through which SYS01stealer is spread is via harmful advertisements across platforms like Facebook, YouTube, and LinkedIn, with the advertisements promoting Windows themes, games, AI software, picture editors, VPNs, and movie streaming services. The majority of the Facebook advertisements are designed to target men aged 45 and older.
“This effectively tempts victims into clicking these advertisements and having their browser data pinched,” Trustwave stated in an assessment of the malware in July 2024.
“If there is Facebook-related data in the information, there is a prospect of not only having their browser data purloined but also having their Facebook accounts operated by the threat actors to further spread malicious advertisements and prolong the loop.”
Individuals who end up engaging with the advertisements are routed to deceptive websites hosted on Google Sites or True Hosting impersonating legitimate brands and applications in a bid to initiate the infection. The assaults are also recognized to employ appropriated Facebook accounts to publish deceitful advertisements.
The initial phase payload downloaded from these sites is a ZIP archive containing a benign executable, which is used to load a malicious DLL responsible for decoding and initiating the multi-stage process.
This encompasses executing PowerShell commands to hinder the malware from running in a sandboxed environment, altering Microsoft Defender Antivirus settings to exclude specific paths to evade detection, and establishing an operational environment to run the PHP-based stealer.
In the most recent chains of attacks noticed by the Romanian cybersecurity organization, the ZIP archives come integrated with an Electron application, implying that the malicious actors are persistently enhancing their strategies.
Also found within the Atom Shell Archive (ASAR) is a JavaScript file (“main.js”) that presently implements the PowerShell commands to perform sandbox checks and execute the stealer. Permanence on the host is accomplished by configuring scheduled tasks.
“The agility of the cyber criminals behind these assaults makes the SYS01 infostealer campaign particularly perilous,” Bitdefender stated. “The malware employs sandbox identification, stopping its operations if it detects it’s being operated in a controlled setting, often used by analysts to scrutinize malware. This allows it to remain undetected in numerous instances.”
“When cybersecurity firms commence flagging and obstructing a particular version of the loader, the cyber criminals react swiftly by revising the code. They then release fresh advertisements with updated malware that eludes the most recent security measures.”
Deceptive Campaigns Exploit Eventbrite
The development comes as Perception Point detailed phishing campaigns that abuse the Eventbrite events and ticketing platform to purloin financial or personal information.
The emails, distributedvia donotreply@events.eventbrite[.]com, encourage users to select a link to settle an unresolved payment or verify their package delivery address. Then, they will be prompted to input their credentials and credit card information.
The assault itself is enabled by the fact that the malicious actors register for genuine accounts on the platform and generate counterfeit events by exploiting the reputation of a well-known brand, embedding the phishing link within the event description or attachment. The event invitation is subsequently dispatched to their targets.
Perception Point mentioned, “Since the email is dispatched via Eventbrite’s confirmed domain and IP address, it has a higher chance of eluding email filters and successfully landing in the recipient’s inbox.”
“Moreover, the usage of the Eventbrite sender domain increases the probability that recipients will open the email and follow the link to the phishing page. This misuse of Eventbrite’s platform enables the attackers to evade detection, ensuring superior delivery and engagement rates.”
A Different Style of Pig Butchery
Cybersecurity experts are also drawing attention to an uptick in cryptocurrency scams that impersonate various entities to target individuals with false job offers that supposedly allow them to earn money while working remotely. The unsolicited messages also assert affiliation with reputable brands such as Spotify, TikTok, and Temu.
pig butchering, which is otherwise recognized as romance-based cryptocurrency investment fraud.
“Compared to pig butchering, job fraud yields smaller but more frequent profits for the fraudsters,” according to Proofpoint. “This scheme capitalizes on the popularity of well-known brands instead of a prolonged, romance-based confidence trick.”
About Author
