Infostealer malware is a type of malicious software designed to infiltrate computer systems and extract sensitive information. Once the data is collected, it is sent to remote servers controlled by threat actors and often resold on “dark web markets.”
Cybersecurity researchers at Bitdefender recently discovered that SYS01 infostealer malware has been actively attacking Meta business pages to steal logins.
SYS01 InfoStealer Malware Attacking Mera Business
Threat actors have been found directing a sophisticated malvertising campaign via Meta’s advertising platform to distribute the “SYS01” InfoStealer malware by impersonating trusted brands.
Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs
This campaign was launched in September and exploits social media advertising algorithms by creating misleading advertisements that masquerade as “legitimate software downloads” from renowned companies and popular gaming titles like:-
- Adobe Photoshop
- Canva
- CapCut
- Express VPN
- Netflix
- Super Mario Bros Wonder
- Black Myth: Wukong
.webp)
The malware is engineered to steal personal data and credentials and is distributed via a network of thousands of “malicious advertisements” that have potentially reached millions of users. Here, the primary focus is on targeting “senior male demographics.”
The attack infrastructure employs multiple malicious domains that function as “fake download platforms” by using various distribution mechanisms that evolve over time to avoid detection.
The campaign’s sophisticated nature is evident in its ability to maintain persistent operations via “hijacked accounts,” “generic impersonation techniques,” and “the strategic deployment of advertisements” that can remain active for weeks.
This makes it more challenging for average users to distinguish between “legitimate software offerings” and “malicious content.”
While this represents a concerning evolution in cyber threats where traditional advertising platforms are being weaponized to facilitate “large-scale malware distribution.”
The malware distributed through deceptive advertisements redirects users to “MediaFire” downloads containing malicious “Electron-based” applications.
These applications are packaged in “.zip” archives containing “ASAR” files that house the core malicious components, “an obfuscated main.js JavaScript file,” “PowerShell scripts,” and “password-protected archives.”
The malware’s infection chain begins when the JavaScript code unpacks and executes additional components using tools like “7zip” while implementing “anti-sandbox” measures by checking GPU models against a predefined list.
Once executed, the malware deploys “PHP scripts” (‘index.php’ and ‘include.php’) encoded with “IonCube Loader,” which help in establishing persistence via “Windows Task Scheduler” with two crucial tasks:-
- WDNA (executing every two minutes through rhc.exe php.exe index.php)
- WDNA_LG (triggering at user logon)
The infostealer communicates with C2 servers using “HTTP calls” (‘https://{C2_DOMAIN}/api/rss?a=ping’) and leverages “Telegram bots” and “Google pages” for dynamic C2 domain retrieval.
Its primary objective is extracting sensitive data while using SQL commands like “SELECT * FROM moz_cookies” to harvest browser data.
.webp)
The malware maintains stealth by running alongside a convincing lure application that creates an elaborate self-sustaining ecosystem where compromised “Facebook Business” accounts are sold on dark web markets or repurposed to propagate more malicious advertisements.
Recommendations
Here below we have mentioned all the recommendations:-
- Scrutinize Ads
- Use Official Sources Only
- Use robust security software
- Keep the system updated
- Enable Two-Factor Authentication
- Monitor Your Facebook Business Accounts
IoCs
Malware Hosting Domains:
- hxxps://krouki.com
- hxxps://kimiclass.com
- hxxps://goodsuccessmedia.com
- hxxps://wegoodmedia.com
- hxxps://socialworldmedia.com
- hxxps://superpackmedia.com
- hxxps://wegoodmedia.com
- hxxps://eviralmedia.com
- hxxps://gerymedia.com
- hxxps://wakomedia.com
C2 Domains:
- hxxps://musament.top
- hxxps://enorgutic.top
- hxxps://untratem.top
- hxxps://matcrogir.top
- hxxps://ubrosive.top
- hxxps://wrust.top
- hxxps://lucielarouche.com
- hxxps://ostimatu.top
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
