Cybersecurity researchers have discovered an ongoing malware campaign that abuses the Meta advertising platform and hijacks Facebook accounts to spread information, known as SYS01stealer.
“The hackers behind the campaign are using trusted brands to expand their reach,” says Bitdefender Labs said in a report shared with The Hacker News.
“The malware campaign leverages nearly a hundred malicious domains that are used not only for malware distribution but also for real-time command and control (C2) operations, allowing threat actors to direct the attack in real-time.”
SYS01stealer was first documented Morphisec in early 2023, describing campaigns targeting business Facebook accounts using Google ads and fake Facebook profiles promoting games, adult content, and hacked software.
As with other hijacking malware, the ultimate goal is to steal login credentials, browsing history, and cookies. But it also focuses on getting Facebook ads and business account data, which is then used to further spread malware through fake ads.
“Hijacked Facebook accounts serve as the basis for expanding the entire operation,” Bitdefender noted. “Each compromised account can be repurposed to push additional malicious ads, expanding a campaign’s reach without requiring hackers to create new Facebook accounts themselves.”
The main vector through which SYS01stealer spreads is through malicious advertisements on platforms such as Facebook, YouTube, and LinkedIn, with ads promoting Windows themes, games, artificial intelligence software, photo editors, virtual private networks, and movie streaming services. Most Facebook ads are designed for men 45 and older.
“This effectively entices victims to click on these ads and steal their browser data,” notes Trustwave said in the July 2024 Malware Analysis.
“If the data contains information related to Facebook, there is a possibility not only of their browser data being stolen, but also of their Facebook accounts being controlled by threat actors to further distribute malicious ads and continue the cycle.”
Users who end up interacting with the ads are redirected to fraudulent sites hosted by Google Sites or True Hosting that mimic legitimate brands and applications in an attempt to initiate the infection. Attackers have also been known to use compromised Facebook accounts to post fraudulent ads.
The first-stage payload downloaded from these sites is a ZIP archive that includes a benign executable that is used to download a malicious DLL responsible for decoding and launching a multi-step process.
This includes running PowerShell commands to prevent malware from running in a sandbox environment, changing Microsoft Defender Antivirus settings to exclude certain paths to avoid detection, and configuring the operating environment to run a PHP-based hijacker.
In the latest chain of attacks observed by a Romanian cybersecurity company, ZIP archives come with Electron embedded, indicating that threat actors are constantly evolving their strategies.
The Atom Shell Archive (ASAR) also has a JavaScript file (“main.js”) that now executes PowerShell commands to perform sandbox checks and run the steal. Host persistence is achieved by configuring scheduled tasks.
“The adaptability of the cybercriminals behind these attacks makes the SYS01 phishing campaign particularly dangerous,” Bitdefender said. “Malware uses sandbox detection, stopping its work when it detects that it is running in a controlled environment, often used by analysts to study malware. This allows her to remain unnoticed in many cases.”
“When cybersecurity firms start flagging and blocking a particular version of a bootloader, hackers quickly respond by updating the code. They then push out new ads with updated malware that evades the latest security measures.”
Phishing campaigns abuse Eventbrite
The development comes as Perception Point details phishing campaigns that abuse Eventbrite’s events and ticketing platform to steal financial or personal information.
Emails sent via noreply@events.eventbrite(.)com prompt users to click on a link to pay an outstanding bill or confirm a shipping address, then ask them to enter their login and credit card details.
The attack itself was made possible by the threat actors signing up for legitimate accounts on the service and creating fake events, abusing the reputation of a well-known brand, by embedding a phishing link in the event description or attachment. An event invitation is then sent to their target.
“Because an email is sent through an Eventbrite-verified domain and IP address, it’s more likely to pass through email filters and successfully reach the recipient’s inbox.” – Perception Point said.
“Eventbrite’s sender domain also makes it more likely that recipients will open the email and click on the phishing link. This abuse of Eventbrite’s platform allows attackers to avoid detection, resulting in higher delivery and discovery rates.”
Slaughter of different types of pigs
Threat Hunters too attracting attention to the rise of cryptocurrency scams posing as various organizations to target users with fake jobs that purport to allow them to make money working from home. Spams also claim to represent legitimate brands such as Spotify, TikTok and Temu.
The activity starts through social media, SMS and messaging apps like WhatsApp and Telegram. Scammers instruct users who agree to take on the job to register on a malicious website with a referral code, then ask them to complete a variety of tasks, such as submitting fake reviews, placing product orders, playing certain songs on Spotify, or booking hotels.
The scam unfolds when victims’ fake commission accounts suddenly become negative and they are encouraged to top up by investing their own cryptocurrency to earn bonuses for completing tasks.
“This vicious cycle will continue as long as the fraudsters think the victim will continue to pay into the system,” Proofpoint researchers said. “If they suspect their victim has become too smart for a scam, they’ll lock their account and lock them out.”
The illegal scheme has been attributed with high confidence to the threat actors who are also conducting butchering of pigswhich is also known as cryptocurrency investment romance scam.
“Job scams provide fraudsters with smaller but more frequent profits compared to pork chops,” Proofpoint said. “The activity capitalizes on the recognition of a popular brand instead of a long romantic scam.”
