Malicious Google ads are a well known threat, but malvertising can also be found on other popular online destinations such as Facebook, LinkedIn, and YouTube.
Case in point: an enduring campaign that aims to infect Facebook users with the SYS01 information stealer, which grabs everything the attackers need to carry on with it endlessly.
The SYS01 malware
“In most of [the] advertisements, the victim will be directed to one of two hosting sites, Google Sites or True Hosting,” the researchers explained. They are then redirected to another dynamically generated URL, which leads to a malicious ZIP file.
An overview of the malvertising operation (Source: Trustwave)
The file is automatically downloaded, but it has to be run by the victim. The malware uses DLL sideloading to load and execute the malicious code, a variety of tactics to prevent detection by security software, hides files and directories that allow it to function, and uses scheduled tasks to achieve persistence.
The malware is capable of stealing (web session) cookies, login data and preferences stored by a wide variety of browsers used all around the globe: Chrome, Firefox, Opera, Brave, Cốc Cốc, Yandex Browser, Orbitum, CentBrowser, and others.
The SYS01 malware can also extract information – personal info, payment methods, follower counts, etc. – from various Facebook account types accessed from the compromised machine.
An ongoing malvertising campaign
“The SYS01 malware campaign was observed as early as September 2023 and is still active today,” Truswave researchers noted. Its longevity is due to the continous evolution of tactics and ads used.
Currently, the malicious ads are mostly promoting Windows themes, Windows Taskbar themes, cracked games, a text-to-video genAI model (Sora AI), a (purportedly) quick way to “Unlock Genuine Licenses for Windows, Office, Photoshop in a Single Click!”, and software to create 3D images.
But generally, the lure is often cracked versions of popular games, multimedia applications (e.g., Adobe Photoshop), and a variety of business applications.
Examples of the malicious Facebook ads and LinkedIn posts (Source: Trustwave)
The ads are served by newly created and hijacked (and renamed) Facebook business pages, to extend their reach.
Compromised login credentials for social media accounts are used to hijack accounts and spread the malware further. The other stolen credentials are likely offered for sale on the dark web, to help a variety of threat actors gain initial access and establish a foothold in their victim’s network and endpoints.
“It’s important to note that these types of threats are very pervasive in the social media landscape and may never go away,” the researchers pointed out, and advised organizations to implement security controls, compromise detection, and effective response measures.
“Security awareness should always be part of a security program but increasing the frequency of bulletins, news flashes or other risk notifications should be part of the culture and may mitigate some of the risk,” they added.
“Knowing that people will always be the first targeted in an attack, utilizing multi-factor authentication is paramount, and strong detection mechanisms are critical in limiting the impact of these threats. Defense in depth strategies are not new concepts but execution and budget constraints present complications. Weighing the risk vs the cost of compromise and reputational harm to the business requires careful consideration.”