Cybersecurity researchers have discovered a new dubbed information stealer SYS01 Stealer Intended for critical government infrastructure employees, manufacturing companies, and other sectors.
“Threat actors behind campaigns target Facebook business accounts using Google ads and fake Facebook profiles, promoting games, adult content, cracked software, etc. It’s trying to get you to download a file,” Morphisec said in its report. Share with Hacker News.
“This attack is designed to steal sensitive information such as login data, cookies, Facebook ads and business account information.”
The Israeli cybersecurity firm said the campaign was initially linked to a financially motivated cybercriminal operation dubbed Ducktail by Zscaler.
However, WithSecure, which first documented the Ducktail activity cluster in July 2022, said the two sets of intrusions differed from each other, explaining how the attackers confused attribution efforts and evaded detection. is shown.
According to Morphisec, the attack chain begins when a victim is lured into clicking on a fake Facebook profile or ad URL and successfully downloading a ZIP archive purporting to be cracked software or adult-themed content. is started.
Opening the ZIP file launches the base loader (usually a legitimate C# application). This loader is vulnerable to DLL sideloading, which allows malicious dynamic link library (DLL) files to load alongside your app.
Applications exploited to sideload malicious DLLs include Western Digital’s WDSyncService.exe and Garmin’s ElevatedInstaller.exe. In some cases, sideloaded DLLs serve as a means of deploying Python and Rust-based intermediate executables.
Regardless of the approach taken, all avenues lead to distribution of installers that drop and run the PHP-based SYS01stealer malware.
The stealer collects Facebook cookies from Chromium-based web browsers (Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, etc.), steals the victim’s Facebook information to a remote server, downloads and executes arbitrary files is designed to
Discover the latest malware evasion tactics and defense strategies
Ready to demystify the 9 most dangerous misconceptions about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!
reserve a seat
It also has the ability to upload files from an infected host to a command and control (C2) server, execute commands sent by the server, and update itself when new versions are available.
The development comes when Bitdefender uncovers a similar stealer campaign known as S1deload, designed to hijack users’ Facebook and YouTube accounts and utilize compromised systems to mine cryptocurrency. To do.
“DLL sideloading is a very effective technique for tricking a Windows system into loading malicious code,” said Morphisec.
“When applications are loaded into memory and no search order is enforced, they load malicious files instead of legitimate files, allowing attackers to exploit legitimate and trusted applications, and even signed applications. It can be jacked to load and execute malicious payloads.”
