Threat actors leverage social media to deploy malware, such as the SYS01 stealer, which steals Facebook credentials and spreads through compromised accounts.
Social media’s popularity makes it a prime target, and stolen credentials are valuable for further attacks like ransomware deployment or data exfiltration.
Since user behavior is difficult to control, security measures like multi-factor authentication and strong detection are crucial. Without these measures, attackers can bypass security and launch various attacks using legitimate accounts.
SYS01, a recently discovered infostealer, targets browser data and Facebook accounts. To evade detection, it has been modified since its introduction in March 2023 and utilizes malvertising on various platforms to trick users into downloading the malware.
The malware then steals browser data, including login credentials and cookies. Its ability to steal access tokens for Facebook accounts, especially those managing business pages, is particularly concerning.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
It allows attackers to hijack these accounts and further propagate malware through malvertising.
By targeting unsuspecting users and compromising both new and established Facebook business accounts, SYS01 disrupts operations and potentially leads to financial losses.
Infostealer SYS01 uses malvertising campaigns with different lures to trick victims.
In September 2023, it initially offered free downloads of popular games, but now the campaigns focus on Windows themes like Sora AI and taskbar themes.
Trustwave states each campaign has a unique tag, with “blue-softs” having the most ads (~8,100) on Facebook.
Clicking the ads redirects users to Google Sites or True Hosting landing pages, which likely host the infostealer malware.
.webp)
Adversaries are using a drive-by compromise attack with malvertising on Facebook.
Clicking a disguised download button redirects users to a malicious domain, while the URL structure includes a campaign tag (?t={Tag}) to categorize and manage different malware versions based on the victim profile or campaign goals.
Identified tags include “awesome”, “soraaiv2”, “tbthemes”, “3dimg”, and “taskbarthemes2024”, allowing attackers to track campaign effectiveness and tailor malicious activities.
.webp)
SYS01 malware is evolving its delivery methods to target a wider audience through social media ads like Windows themes. It leverages legitimate-sounding domains to deploy malicious payloads and uses PHP variants to evade detection.
The attackers employ a complex attack chain with C2 domain generation, data extraction, and Facebook account hijacking via tokens.
The malware also utilizes commercial tools to achieve persistence on infected systems, as SYS01 specifically targets hijacking Facebook business accounts to maximize its reach and damage the reputation of affected businesses.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.