Contact Us

SYS01: Threat actors spread info stealer via Facebook lures

A version of malware called SYS01 is designed to steal sensitive information from compromised systems. Typically, it spreads to a computer by way of a malicious email attachment, website download, or other exploitation technique. The SYS01 stealer was used in the attacks that were seen in a variety of methods, including DLL side-loading, Rust executables, and Python executables.

Since November 2022, threat actors have been using the information stealer to infiltrate the computers of people working on vital government infrastructure and businesses engaged in manufacturing, among others. The new effort used bogus Facebook pages touting games, adult material, and pirated software, together with Google adverts to entice users to download infected files.

The SYS01 malware assault starts by enticing a victim into clicking on a URL from a phoney Facebook profile, advertisement, or link to live broadcasts, free programmes, movies, or games. A ZIP archive file is downloaded when the user clicks on the lure. A based loader, usually a trustworthy C# application, is launched when the ZIP file is opened and is susceptible to DLL side-loading.

The use of DLL side-loading to mislead Windows computers into executing malicious code is quite efficient. Threat actors can use genuine, trusted, and even signed programmes to load and execute malicious payloads because when an application loads in memory and search order is not enforced, the malicious file is loaded instead of the original one.

The stealer is designed to exfiltrate the victim’s Facebook information to a remote server, harvest Facebook cookies from Chromium-based web browsers (such as Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi), and download and launch arbitrary programmes. It may also execute orders supplied by the command-and-control (C2) server, upload files from the infected computer to the server, and update itself when a new version is available

References:

  1. https://www.infosecurity-magazine.com/news/sys01-stealer-critical/
  2. https://www.techrepublic.com/article/sys01-stealer-targets-facebook-business-accounts-chromium-credentials/

Related Articles

SISA logo in white

SISA is a global forensics-driven cybersecurity solutions company, trusted by leading organizations for securing their businesses with robust preventive, detective, and corrective cybersecurity solutions. Our problem-first, human-centric approach helps businesses strengthen their cybersecurity posture.

Industry recognition by CREST, CERT-In and PCI SSC serves as a testament to our skill, knowledge, and competence.

We apply the power of forensic intelligence and advanced technology to offer true security to 2,000+ customers in 40+ countries.

Company

Services

Resources

Quick Links

Connect with us

Copyright © 2024 SISA. All Rights Reserved.
SISA’s Latest
close slider

Webinar

Proven Data Governance Strategies for Navigating the Compliance Maze

Webinar: ANAB accredited certification, Jan 2024, cover image

ANAB Accredited Certification: A Catalyst for Professional Excellence in Payment Security

Whitepaper

Bridging the cybersecurity skill gap in payments industry through accredited training - Banner

The Tipping Point: Bridging the Cybersecurity Skill Gap in the Payments Industry Through Accredited Training

Events

SISA Reimagines Cybersecurity with MXDR at RSA 2024

News Room

DSCI and SISA unveils cyber report on ‘MXDR – A New Paradigm for Cyber Defense’

Infosec Report

SISA-DSCI ProACT MXDR Report launch 2024

Blog

The Critical Role of Accredited Certification in Payment Security

Weekly Threat Watch

Okta raises alarm over surge in credential stuffing attacks

Case Study

SISA helps a global electronic payment provider strengthen risk management and compliance

Sign up for SISA's Daily
Threat Watch Advisory
Subscribe now!