New Menace Utilizing Fb Adverts to Goal Vital Infrastructure Companies

Mar 07, 2023Ravie LakshmananKnowledge Security / Cyber Menace

Cybersecurity researchers have found a brand new data stealer dubbed SYS01stealer concentrating on crucial authorities infrastructure workers, manufacturing corporations, and different sectors.

“The risk actors behind the marketing campaign are concentrating on Fb enterprise accounts by utilizing Google adverts and pretend Fb profiles that promote issues like video games, grownup content material, and cracked software program, and so on. to lure victims into downloading a malicious file,” Morphisec stated in a report shared with The Hacker Information.

“The assault is designed to steal delicate data, together with login knowledge, cookies, and Fb advert and enterprise account data.”

The Israeli cybersecurity firm stated the marketing campaign was initially tied to a financially motivated cybercriminal operation dubbed Ducktail by Zscaler.

Nonetheless, WithSecure, which first documented the Ducktail exercise cluster in July 2022, stated the 2 intrusion units are completely different from each other, indicating how the risk actors managed to confuse attribution efforts and evade detection.

The assault chain, per Morphisec, commences when a sufferer is efficiently lured into clicking on a URL from a faux Fb profile or commercial to obtain a ZIP archive that purports to be cracked software program or adult-themed content material.

Opening the ZIP file launches a primarily based loader – usually a professional C# software – that is susceptible to DLL side-loading, thereby making it potential to load a malicious dynamic hyperlink library (DLL) file alongside the app.

Among the purposes abused to side-load the rogue DLL are Western Digital’s WDSyncService.exe and Garmin’s ElevatedInstaller.exe. In some situations, the side-loaded DLL acts as a method to deploy Python and Rust-based intermediate executables.

No matter the strategy employed, all roads result in the supply of an installer that drops and executes the PHP-based SYS01stealer malware.

The stealer is engineered to reap Fb cookies from Chromium-based internet browsers (e.g., Google Chrome, Microsoft Edge, Courageous, Opera, and Vivaldi), exfiltrate the sufferer’s Fb data to a distant server, and obtain and run arbitrary recordsdata.

Uncover the Newest Malware Evasion Ways and Prevention Methods

Able to bust the 9 most harmful myths about file-based assaults? Be a part of our upcoming webinar and grow to be a hero within the combat towards affected person zero infections and zero-day safety occasions!


It is also outfitted to add recordsdata from the contaminated host to the command-and-control (C2) server, run instructions despatched by the server, and replace itself when a brand new model is obtainable.

The event comes as Bitdefender revealed an analogous stealer marketing campaign often known as S1deload that is designed to hijack customers’ Fb and YouTube accounts and leverage the compromised techniques to mine cryptocurrency.

“DLL side-loading is a extremely efficient method for tricking Home windows techniques into loading malicious code,” Morphisec stated.

“When an software hundreds in reminiscence and search order just isn’t enforced, the appliance hundreds the malicious file as an alternative of the professional one, permitting risk actors to hijack professional, trusted, and even signed purposes to load and execute malicious payloads.”

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.