Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Google Chrome Zero-Day Cve-2025-2783 is operated by Taxoff to expand Trinper Backdoor

June 17, 2025

Langsmith Bug can expose the Openai keys and users’ data through malicious agents

June 17, 2025

How to protect backups

June 17, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » Malware hijacks Facebook accounts to distribute SYS01stealer malware
Global Security

Malware hijacks Facebook accounts to distribute SYS01stealer malware

AdminBy AdminOctober 30, 2024No Comments5 Mins Read
SYS01stealer Malware
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


SYS01stealer malware

Cybersecurity researchers have discovered an ongoing malware campaign that abuses the Meta advertising platform and hijacks Facebook accounts to spread information, known as SYS01stealer.

“The hackers behind the campaign are using trusted brands to expand their reach,” says Bitdefender Labs said in a report shared with The Hacker News.

“The malware campaign leverages nearly a hundred malicious domains that are used not only for malware distribution but also for real-time command and control (C2) operations, allowing threat actors to direct the attack in real-time.”

SYS01stealer was first documented Morphisec in early 2023, describing campaigns targeting business Facebook accounts using Google ads and fake Facebook profiles promoting games, adult content, and hacked software.

As with other hijacking malware, the ultimate goal is to steal login credentials, browsing history, and cookies. But it also focuses on getting Facebook ads and business account data, which is then used to further spread malware through fake ads.

“Hijacked Facebook accounts serve as the basis for expanding the entire operation,” Bitdefender noted. “Each compromised account can be repurposed to push additional malicious ads, expanding a campaign’s reach without requiring hackers to create new Facebook accounts themselves.”

Cyber ​​security

The main vector through which SYS01stealer spreads is through malicious advertisements on platforms such as Facebook, YouTube, and LinkedIn, with ads promoting Windows themes, games, artificial intelligence software, photo editors, virtual private networks, and movie streaming services. Most Facebook ads are designed for men 45 and older.

“This effectively entices victims to click on these ads and steal their browser data,” notes Trustwave said in the July 2024 Malware Analysis.

“If the data contains information related to Facebook, there is a possibility not only of their browser data being stolen, but also of their Facebook accounts being controlled by threat actors to further distribute malicious ads and continue the cycle.”

Users who end up interacting with the ads are redirected to fraudulent sites hosted by Google Sites or True Hosting that mimic legitimate brands and applications in an attempt to initiate the infection. Attackers have also been known to use compromised Facebook accounts to post fraudulent ads.

SYS01stealer malware

The first-stage payload downloaded from these sites is a ZIP archive that includes a benign executable that is used to download a malicious DLL responsible for decoding and launching a multi-step process.

This includes running PowerShell commands to prevent malware from running in a sandbox environment, changing Microsoft Defender Antivirus settings to exclude certain paths to avoid detection, and configuring the operating environment to run a PHP-based hijacker.

In the latest chain of attacks observed by a Romanian cybersecurity company, ZIP archives come with Electron embedded, indicating that threat actors are constantly evolving their strategies.

SYS01stealer malware

The Atom Shell Archive (ASAR) also has a JavaScript file (“main.js”) that now executes PowerShell commands to perform sandbox checks and run the steal. Host persistence is achieved by configuring scheduled tasks.

“The adaptability of the cybercriminals behind these attacks makes the SYS01 phishing campaign particularly dangerous,” Bitdefender said. “Malware uses sandbox detection, stopping its work when it detects that it is running in a controlled environment, often used by analysts to study malware. This allows her to remain unnoticed in many cases.”

“When cybersecurity firms start flagging and blocking a particular version of a bootloader, hackers quickly respond by updating the code. They then push out new ads with updated malware that evades the latest security measures.”

Phishing campaigns abuse Eventbrite

The development comes as Perception Point details phishing campaigns that abuse Eventbrite’s events and ticketing platform to steal financial or personal information.

Emails sent via noreply@events.eventbrite(.)com prompt users to click on a link to pay an outstanding bill or confirm a shipping address, then ask them to enter their login and credit card details.

The attack itself was made possible by the threat actors signing up for legitimate accounts on the service and creating fake events, abusing the reputation of a well-known brand, by embedding a phishing link in the event description or attachment. An event invitation is then sent to their target.

“Because an email is sent through an Eventbrite-verified domain and IP address, it’s more likely to pass through email filters and successfully reach the recipient’s inbox.” – Perception Point said.

“Eventbrite’s sender domain also makes it more likely that recipients will open the email and click on the phishing link. This abuse of Eventbrite’s platform allows attackers to avoid detection, resulting in higher delivery and discovery rates.”

Slaughter of different types of pigs

Threat Hunters too attracting attention to the rise of cryptocurrency scams posing as various organizations to target users with fake jobs that purport to allow them to make money working from home. Spams also claim to represent legitimate brands such as Spotify, TikTok and Temu.

Cyber ​​security

The activity starts through social media, SMS and messaging apps like WhatsApp and Telegram. Scammers instruct users who agree to take on the job to register on a malicious website with a referral code, then ask them to complete a variety of tasks, such as submitting fake reviews, placing product orders, playing certain songs on Spotify, or booking hotels.

The scam unfolds when victims’ fake commission accounts suddenly become negative and they are encouraged to top up by investing their own cryptocurrency to earn bonuses for completing tasks.

“This vicious cycle will continue as long as the fraudsters think the victim will continue to pay into the system,” Proofpoint researchers said. “If they suspect their victim has become too smart for a scam, they’ll lock their account and lock them out.”

The illegal scheme has been attributed with high confidence to the threat actors who are also conducting butchering of pigswhich is also known as cryptocurrency investment romance scam.

“Job scams provide fraudsters with smaller but more frequent profits compared to pork chops,” Proofpoint said. “The activity capitalizes on the recognition of a popular brand instead of a long romantic scam.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Google Chrome Zero-Day Cve-2025-2783 is operated by Taxoff to expand Trinper Backdoor

June 17, 2025

Langsmith Bug can expose the Openai keys and users’ data through malicious agents

June 17, 2025

How to protect backups

June 17, 2025

Silver Fox Apt has on target Taiwan with sophisticated GH0Stcringe and Holdinghands Rats Malicious Programs

June 17, 2025

Google warns about scattered spider attacks focused on IT -commander by US insurance firms

June 17, 2025

Password “B” in Sitecore XP Sparks Sparks Erriss RCE when deploying businesses

June 17, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Google Chrome Zero-Day Cve-2025-2783 is operated by Taxoff to expand Trinper Backdoor

June 17, 2025

Langsmith Bug can expose the Openai keys and users’ data through malicious agents

June 17, 2025

How to protect backups

June 17, 2025

Silver Fox Apt has on target Taiwan with sophisticated GH0Stcringe and Holdinghands Rats Malicious Programs

June 17, 2025

Google warns about scattered spider attacks focused on IT -commander by US insurance firms

June 17, 2025

Password “B” in Sitecore XP Sparks Sparks Erriss RCE when deploying businesses

June 17, 2025

Are you forgotten accounts of advertising services that leave you risk?

June 17, 2025

New Flodrix Botnet Option Operates Langflow Ai Server RCE BUG to launch DDOS ATTACKS

June 17, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Google Chrome Zero-Day Cve-2025-2783 is operated by Taxoff to expand Trinper Backdoor

June 17, 2025

Langsmith Bug can expose the Openai keys and users’ data through malicious agents

June 17, 2025

How to protect backups

June 17, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.