SYS01: Threat actors spread info stealer via Facebook lures

A version of malware called SYS01 is designed to steal sensitive information from compromised systems. Typically, it spreads to a computer by way of a malicious email attachment, website download, or other exploitation technique. The SYS01 stealer was used in the attacks that were seen in a variety of methods, including DLL side-loading, Rust executables, and Python executables.

Since November 2022, threat actors have been using the information stealer to infiltrate the computers of people working on vital government infrastructure and businesses engaged in manufacturing, among others. The new effort used bogus Facebook pages touting games, adult material, and pirated software, together with Google adverts to entice users to download infected files.

The SYS01 malware assault starts by enticing a victim into clicking on a URL from a phoney Facebook profile, advertisement, or link to live broadcasts, free programmes, movies, or games. A ZIP archive file is downloaded when the user clicks on the lure. A based loader, usually a trustworthy C# application, is launched when the ZIP file is opened and is susceptible to DLL side-loading.

The use of DLL side-loading to mislead Windows computers into executing malicious code is quite efficient. Threat actors can use genuine, trusted, and even signed programmes to load and execute malicious payloads because when an application loads in memory and search order is not enforced, the malicious file is loaded instead of the original one.

The stealer is designed to exfiltrate the victim’s Facebook information to a remote server, harvest Facebook cookies from Chromium-based web browsers (such as Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi), and download and launch arbitrary programmes. It may also execute orders supplied by the command-and-control (C2) server, upload files from the infected computer to the server, and update itself when a new version is available


SISA’s Latest
close slider