Description
Cybercriminals are using Facebook business pages and advertisements to promote fake Windows themes that infect users with the SYS01 password-stealing malware. This significant threat leverages the massive reach of the social media platform to distribute the malware widely and effectively.
Details
Researchers from Trustwave have identified campaigns where threat actors promote fake downloads for Windows themes, pirated games, software, Sora AI, 3D image creators, and One Click Active via Facebook advertisements. These ads often stem from newly created or hijacked Facebook business pages, allowing them to reach a large audience by renaming the pages to match the advertised themes.
Once a user clicks on an ad, they are redirected to webpages hosted on Google Sites or True Hosting, which masquerade as download pages for the promoted content. These pages primarily promote a site called Blue-Software, offering supposed free software and game downloads. However, the downloaded ZIP archives contain the SYS01 info-stealing malware instead of the advertised content.
The SYS01 malware, discovered by Morphisec in 2022, employs executables, DLLs, PowerShell scripts, and PHP scripts to install and operate. Upon executing the main file, DLL sideloading is used to load a malicious DLL that sets up the malware’s environment, including disabling virtualized environment detection, adding exclusions in Windows Defender, and configuring PHP scripts for malicious operations.
The primary payload includes PHP scripts that create scheduled tasks for persistence and steal data from infected devices, such as browser cookies, saved credentials, browsing history, and cryptocurrency wallets. The malware also exploits Facebook cookies to steal account information, including personal profiles, advertising account data, business details, and page management information.
Trustwave observed that the SYS01 malvertising campaigns extend beyond Facebook to platforms like LinkedIn and YouTube, demonstrating the broad scope and persistence of these attacks.
Indicators of Compromise (IoCs)
Organizations should monitor for the following indicators of compromise:
Remediation
To mitigate this risk organizations can:
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Facebook Ads for Windows Themes Push SYS01 Info-Stealing Malware
References