Through fake ads, hackers hijack Facebook accounts that they use to spread the SYS01 InfoStealer malware

social networks, 31.10.2024, 11:00 AM

Cybersecurity researchers from Bitdefender Labs warn of attempts to abuse Meta’s advertising platform and hijack Facebook accounts used to distribute the SYS01 InfoStealer malware.

“The hackers behind the campaign are using trusted brands to expand their reach,” Bitdefender Labs said in a statement the report.

“The malicious advertising campaign that has been wreaking havoc on the Meta platforms for at least a month is continuously evolving, with new ads appearing daily. The SYS01 InfoStealer malware has become a central weapon in this campaign, targeting victims across multiple platforms.”

To maximize their reach, cybercriminals emulate a wide range of well-known software tools, such as video and photo editing software such as CapCut, Canva or Adobe Photoshop, VPN software such as Express VPN and VPN Plus, then applications such as Netflix, messengers such as Telegram and video games, increasing reach to a wider user base. They use nearly a hundred domains not only for malware distribution but also for live command and control (C2) operations, allowing them to manage the attack in real time.

SYS01 first documented Morphisec in early 2023, describing attacks targeting Facebook business accounts using Google ads and fake Facebook profiles promoting games, adult content, and cracked software.

As in other cases of this type of malware distribution, the ultimate goal is to steal login data, browsing history and cookies, as well as Facebook ad and business account data, which are then used to further spread the malware through fake ads.

“Hijacked Facebook accounts serve as the basis for scaling up the entire operation,” the Bitdefender report said. “Each compromised account can be repurposed to promote additional malicious ads, increasing the reach of the campaign without hackers having to create new Facebook accounts themselves.”

The primary vector through which SYS01 InfoStealer is distributed is through advertisements on platforms such as Facebook, YouTube, and LinkedIn, which promote Windows themes, games, AI software, photo editors, VPNs, and movie streaming services. Most Facebook ads are designed to target men 45 and older.

This lures victims into clicking on these ads and having their browser data stolen. If there is information related to Facebook among the data, there is a possibility that not only will their data be stolen, but also that hackers will take over their Facebook accounts to further distribute ads.

Users who click on the ads are redirected to deceptive sites hosted by Google Sites or True Hosting, which impersonate legitimate brand and application sites.

The file downloaded from these websites is a ZIP archive containing a benign executable, which is used to load a malicious DLL responsible for decoding and initiating a multi-stage infection process.

Malware will not run in a protected environment. In addition, Microsoft Defender antivirus settings are modified to avoid detection and ensure the launch of malware.

“The adaptability of the cybercriminals behind these attacks makes this campaign particularly dangerous,” Bitdefender said. “The malware uses sandbox detection, halting its operations if it detects that it is running in a controlled environment, which analysts often use to examine malware. This allows him to remain undetected in many cases.”

When antivirus companies detect and block the current version of the malware, hackers improve their stealth methods and relaunch new ads with updated versions.

This attack is global, with millions of potential victims, and includes regions such as Europe, North America, Australia and Asia, and men over 45 are especially targeted.

Photo: Roman Martyniuk | Unsplash

Source: www.informacija.rs