A New Threat Using Facebook Ads to Target Critical Infrastructure Firms: SYS01stealer
A new information stealer called SYS01stealer has been discovered by cybersecurity researchers, targeting critical government infrastructure employees, manufacturing companies, and other sectors.
The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information. The Israeli cybersecurity company Morphisec reported that the campaign was initially tied to a financially motivated cybercriminal operation dubbed Ducktail by Zscaler. However, WithSecure, which first documented the Ducktail activity cluster in July 2022, said the two intrusion sets are different from one another, indicating how the threat actors managed to confuse attribution efforts and evade detection.
The attack chain commences when a victim is successfully lured into clicking on a URL from a fake Facebook profile or advertisement to download a ZIP archive that purports to be cracked software or adult-themed content. Opening the ZIP file launches a based loader – typically a legitimate C# application – that’s vulnerable to DLL side-loading, thereby making it possible to load a malicious dynamic link library (DLL) file alongside the app. Some of the applications abused to side-load the rogue DLL are Western Digital’s WDSyncService.exe and Garmin’s ElevatedInstaller.exe.
The stealer is engineered to harvest Facebook cookies from Chromium-based web browsers (e.g., Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi), exfiltrate the victim’s Facebook information to a remote server, and download and run arbitrary files. It’s also equipped to upload files from the infected host to the command-and-control (C2) server, run commands sent by the server, and update itself when a new version is available.
Bitdefender has revealed a similar stealer campaign known as S1deload that’s designed to hijack users’ Facebook and YouTube accounts and leverage the compromised systems to mine cryptocurrency. “DLL side-loading is a highly effective technique for tricking Windows systems into loading malicious code,” Morphisec said. “When an application loads in memory and search order is not enforced, the application loads the malicious file instead of the legitimate one, allowing threat actors to hijack legitimate, trusted, and even signed applications to load and execute malicious payloads.”