Man
Professional
- Messages
- 3,046
- Reaction score
- 570
- Points
- 113
In early March, cybersecurity experts discovered malware called Sys01 Stealer, which targeted Facebook accounts (part of the Meta organization, which is recognized as extremist and banned in the Russian Federation) belonging to employees of critical government facilities. Morphisec experts monitored the new malware.
Morphisec shared details of the data theft scheme developed by the attackers. The experts noted that the malware targeted employees of critical government facilities who had accounts on the social network Facebook.
Dubbed Sys01 Stealer, the malware is distributed via Google Ads and fake Facebook accounts. The scammers targeted adult content, games, and hacked software. The link leads to a download of a ZIP archive containing malicious payload. Once infected, the malware is launched on the victim's computer via a remote DLL download.
Last month, cybersecurity company Bitdefender detailed similar methods of distribution and execution used by the S1deload Stealer malware. It is also used to harvest Facebook and YouTube account data. However, as Morphisec noted, the two malwares are different.
Sys01 Stealer has been active on the Internet since November 2022. It targets employees in various industries, including government and manufacturing. Its goal is to extract information such as credentials, cookies, and business account data and Facebook ad reports.
Victims click on a malicious ad or a link on a fake account page and download a ZIP archive that supposedly contains a movie, game, or app. However, the archive contains a downloader with an official app vulnerable to remote DLL loading and a malicious library that removes the Inno-Setup installer. The latter deploys the final payload in the form of a PHP application that contains malicious scripts for data collection and exfiltration.
The PHP script is responsible for running the task in continuous mode, while the main script of the malware-stealer searches the PC to see if the victim has a Facebook account and is authorized in the system. The script also supports downloading and running files via a specified link, can upload files to the C2 server and execute commands.
During the analysis, Morphisec specialists also discovered that the malware uses Rust, Python and PHP encryption ransomware, which allowed the thief to remain undetected for the entire five months.
Morphisec said the key steps to stop Sys01 Stealer include implementing a zero-trust policy and restricting user rights to download and install programs, as the malware relies on social engineering to trick users. That's why it's important to educate users on the techniques used by the attackers so that the malware can be detected and stopped in time.
Morphisec shared details of the data theft scheme developed by the attackers. The experts noted that the malware targeted employees of critical government facilities who had accounts on the social network Facebook.
Dubbed Sys01 Stealer, the malware is distributed via Google Ads and fake Facebook accounts. The scammers targeted adult content, games, and hacked software. The link leads to a download of a ZIP archive containing malicious payload. Once infected, the malware is launched on the victim's computer via a remote DLL download.
Last month, cybersecurity company Bitdefender detailed similar methods of distribution and execution used by the S1deload Stealer malware. It is also used to harvest Facebook and YouTube account data. However, as Morphisec noted, the two malwares are different.
Sys01 Stealer has been active on the Internet since November 2022. It targets employees in various industries, including government and manufacturing. Its goal is to extract information such as credentials, cookies, and business account data and Facebook ad reports.
Victims click on a malicious ad or a link on a fake account page and download a ZIP archive that supposedly contains a movie, game, or app. However, the archive contains a downloader with an official app vulnerable to remote DLL loading and a malicious library that removes the Inno-Setup installer. The latter deploys the final payload in the form of a PHP application that contains malicious scripts for data collection and exfiltration.
The PHP script is responsible for running the task in continuous mode, while the main script of the malware-stealer searches the PC to see if the victim has a Facebook account and is authorized in the system. The script also supports downloading and running files via a specified link, can upload files to the C2 server and execute commands.
During the analysis, Morphisec specialists also discovered that the malware uses Rust, Python and PHP encryption ransomware, which allowed the thief to remain undetected for the entire five months.
Morphisec said the key steps to stop Sys01 Stealer include implementing a zero-trust policy and restricting user rights to download and install programs, as the malware relies on social engineering to trick users. That's why it's important to educate users on the techniques used by the attackers so that the malware can be detected and stopped in time.
