An information stealer known as SYS01 has been used by attackers since November 2022 to infect systems such as those of critical government infrastructure employees and manufacturing companies.
The new campaign, spotted by security researchers at Morphisec, lured Facebook business accounts with Google ads and fake Facebook profiles promoting games, adult content, and cracked software. This lure subsequently led to the download of malicious links.
“This attack is designed to steal sensitive information such as login data, cookies, Facebook ads, and business account information,” Morphisec malware researcher Arnold Osipov said in an advisory Tuesday.
“This campaign was first seen in May 2022 and was initially attributed to a Ducktail operation by Zscaler. This attribution was later found to be incorrect,” added Osipov.
Mike Parkin, senior technical engineer at Vulcan Cyber, agrees with Osipov’s analysis, saying new research from Morphisec shows the attackers are still active and malware development is underway. I added that there are
“They also refer to another, but apparently related, piece of malware discovered by another research team,” added Parkin. “Overall, this shows how threat actors are evolving their tools and focusing on specific targets. And when both malware and the groups that use it are in constant flux, How difficult it is to clearly attribute a particular malware strain to a particular group.”
The SYS01 stealer was distributed in a variety of ways in attacks observed by Morphisec. This includes sideloading DLLs and executables for Rust and Python.
According to John Anthony Smith, CEO of Conversant Group, the campaign shows that attackers are using advertising content to trick users into clicking malicious links.
“In our opinion, SYS01 is a continuation of similar techniques used by other groups. Any messaging platform that allows users to click on unvetted links or attachments should be blocked,” the executive said. explained.
“advertisements, social network platforms, chat applications/services, […] Any platform that allows communication outside of company-sanctioned methods should be blocked. “
A similar campaign by the aforementioned Ducktail actor was discovered by the WithSecure team and made public in November 2022.
