SYS01 Stealer
Cybersecurity researchers have discovered a new information-stealing malware that specifically targets the Facebook accounts of employees in critical government infrastructure. The malware, named Sys01 Stealer, is being distributed through Google advertisements and fake Facebook accounts that promote adult content, games, and cracked software. Once downloaded, the malware is executed on the victim's computer through DLL side-loading, a technique that allows the malware to avoid detection by security software. Details about the infection chain and the malicious capabilities of the threat were released in a report by security experts.
The distribution and execution techniques used by Sys01 Stealer are similar to those used by another malware named 'S1deload Stealer. S1deload Stealer also targeted Facebook and YouTube accounts to harvest data. The danger posed by these types of malware is significant as the threats are specifically designed to steal sensitive information and can bypass certain security measures.
Table of Contents
SYS01 Stealer Targets Numerous Industries Including the Government Sector
Sys01 Stealer is malware that has been targeting employees in different industries since November 2022, including those in government and manufacturing. The malware's primary objective is to exfiltrate sensitive information such as login credentials, cookies, and Facebook ad and business account data from its victims.
The attackers employ various tactics to lure their victims, including using advertisements or creating fake Facebook accounts. These ads or fake accounts contain a URL that leads to a ZIP archive that is advertised as containing a movie, game, or application.
The ZIP archive contains a loader, which is a legitimate application that has a vulnerability in DLL side-loading, and an unsafe library that is side-loaded. This library drops the Inno-Setup installer that installs a final payload in the form of a PHP application. This application contains compromised scripts that are used to harvest and exfiltrate data.
Threat Actors Used Several Programming Languages and Encoders to Make SYS01 Stealer Difficult for Detection
The SYS01 Stealer uses a PHP script to achieve persistence by setting a scheduled task on the infected system. The main script, which carries the information-stealing functionality, has multiple capabilities, including the ability to check if the victim has a Facebook account and is logged in. The script can also download and execute files from a designated URL, upload files to a command-and-control server, and execute commands.
According to the analysis, the information stealer uses several programming languages, including Rust, Python, PHP, and PHP advanced encoders, to avoid detection.
It is strongly recommended that organizations should implement a zero-trust policy and restrict users' rights to download and install programs to prevent infections by threats like the Sys01 Stealer. Since the Sys01 Stealer relies on social engineering tactics, users must be educated about the techniques used by adversaries to detect and avoid them.
SYS01 Stealer Video
Tip: Turn your sound ON and watch the video in Full Screen mode.
