SYS01 is an Info Stealer that Targets the Facebook Accounts of Government Infrastructure Employees
Researchers specializing in cybersecurity have uncovered an information-stealing malware that specifically targets the Facebook accounts of employees working in critical government infrastructure. Known as Sys01 Stealer, this malware is distributed through sponsored advertisements on popular search engines and fake Facebook accounts promoting adult content, games, and cracked software.
Once downloaded, the malware discreetly executes on the victim’s computer by utilizing DLL side-loading, a technique that evades detection by security software. We would like to provide insights into the infection chain and the malicious capabilities of this threat.
The distribution and execution methods employed by Sys01 Stealer bear similarities to another malware called “S1deload Stealer,” which also focuses on stealing data from Facebook and YouTube accounts. The threat posed by such malware is substantial, as they are purposefully designed to pilfer sensitive information and possess the ability to bypass certain security measures.
Since November 2022, Sys01 Stealer has been targeting employees across different sectors, including government and manufacturing. Its primary objective is to extract sensitive data like login credentials, cookies, and Facebook ad and business account information from unsuspecting victims.
As mentioned, the attackers utilize multiple tactics to lure their targets, including deceptive advertisements or creating fictitious Facebook accounts. The ads and accounts contain URLs that lead to ZIP archives, supposedly containing movies, games, or applications.
Within the ZIP archive, there is a loader—a legitimate application with a vulnerability in DLL side-loading—along with an unsafe library that undergoes side-loading. This library deploys the Inno-Setup installer, responsible for installing the final payload in the form of a PHP application. This application includes compromised scripts used for data harvesting and exfiltration.
Sys01 Stealer incorporates a PHP script to establish persistence by scheduling tasks on the infected system. The primary script with the information-stealing functionality has various capabilities. It can determine if the victim has a Facebook account and is logged in, download and execute files from a designated URL, upload files to a command-and-control server, and execute commands.
According to the analysis, the information stealer employs multiple programming languages, including Rust, Python, PHP, and advanced PHP encoders, to evade detection.
To mitigate the risk of infections from threats like Sys01 Stealer, it is highly recommended for organizations to implement a zero-trust policy, which would restrict employees’ rights to download and install programs. Zero-Trust is a security approach that ensures everyone, whether inside or outside an organization’s network, has to prove their identity, get permission, and constantly demonstrate their security settings and conditions to access applications and data. This means nobody is automatically trusted, and everyone must continually prove they are secure before accessing sensitive information. Also, educating employees about the techniques employed by threat actors and raising awareness to detect and avoid social engineering tactics is crucial in preventing such infections.
If you are still having trouble, consider contacting remote technical support options.