Cybercriminals exploit Facebook ads to distribute SYS01 malware. Learn how these campaigns work and protect yourself from data theft and account hijacking.

Continue reading
Cybercriminals are increasingly leveraging social media platforms like Facebook to continue to distribute malware. Recent research from Trustwave highlights the active usage of Facebook business pages and advertisements to promote fake Windows themes, pirated games, and software. These ads infect unsuspecting users with the SYS01 password-stealing malware. This technical analysis will delve into the methods used by these threat actors, the impact of their campaigns, and the technical details of the SYS01 malware.
Cybercriminals exploit Facebook's advertising platform to reach a vast audience. They create fake ads promoting free software, Windows themes, and game downloads. These ads are often associated with newly created or hijacked Facebook business pages. When users click on these ads, they are redirected to malicious websites hosted on platforms like Google Sites or True Hosting.
Threat actors hijack existing Facebook business pages, rename them, and use them to amplify their reach. By leveraging the existing follower base, they significantly increase the spread of their fraudulent advertisements. Trustwave's report indicates that these pages were administered by individuals in Vietnam and the Philippines at various times.
The malicious websites promoted through Facebook ads offer fake downloads for various software and themes. These downloads come in the form of ZIP archives named after the advertised content, such as 'Awesome_Themes_for_Win_10_11.zip' or 'Adobe_Photoshop_2023.zip'. Instead of legitimate software, these archives contain the SYS01 malware.
When the archive's main executable is loaded, it employs DLL sideloading to execute a malicious DLL. This DLL sets up the malware's operating environment. The process includes running PowerShell scripts to prevent the malware from running in a virtualized environment, adding folder exclusions in Windows Defender, and configuring a PHP environment for malicious scripts.
The SYS01 malware's primary payload consists of PHP scripts that create scheduled tasks for persistence. These scripts also steal data from the infected device, including browser cookies, saved credentials, browser history, and cryptocurrency wallets.
The malware targets sensitive information, including:
The malware can use stolen Facebook cookies to extract account information, such as:
The infection process starts when a user downloads and executes the malicious ZIP archive. The main executable uses DLL sideloading to load a malicious DLL, which then sets up the environment for further malware operations.
The malware uses various evasion techniques to avoid detection:
The stolen data is temporarily stored in the %Temp% folder before being sent to the attackers. This data includes browser cookies, saved credentials, and other sensitive information.
Users should be aware of the risks associated with clicking on ads for free software and themes. Always download software from official and trusted sources.
Implement robust security measures to detect and prevent malware infections:

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been