Endpoint security firm Morphisec has shared details on an information stealer that has been observed targeting the Facebook accounts of critical government infrastructure employees.
Dubbed Sys01 Stealer, the malware is distributed via Google ads and fake Facebook accounts promoting adult content, games, and cracked software, and is executed on the victim’s machine using DLL side-loading. Since November 2022, Sys01 Stealer has been targeting employees in various industries, including government and manufacturing, focused on exfiltrating information such as credentials, cookies, and Facebook ad and business account data.
The malicious payload is delivered as a ZIP archive containing a loader, which is a legitimate application vulnerable to DLL side-loading, and a malicious library that is side-loaded to drop the Inno-Setup installer, which in turn deploys the final payload in the form of a PHP application containing malicious scripts for data harvesting and exfiltration.
The script also supports the download and execution of files from a specified URL, can upload files to the command-and-control (C&C) server, and can execute commands. Morphisec’s analysis of the threat also revealed the use of Rust, Python, PHP, and PHP advanced encoders that helped the information stealer remain undetected for the past five months.
Morphisec recommends implementing a zero-trust policy and limiting users’ rights to download and install programs. It is also important to train users about the tricks adversaries use so they know how to spot them.
- Morphisec has identified a new information stealer called Sys01 Stealer targeting Facebook accounts of government infrastructure employees.
- The malware is delivered via fake ads and Facebook accounts promoting adult content, games, and cracked software.
- It is executed on the victim’s machine using DLL side-loading and is designed to exfiltrate credentials, cookies, and Facebook ad and business account data.
- Morphisec recommends implementing a zero-trust policy and limiting users’ rights to download and install programs, and training users to spot malicious activity.