The rising threat of SYS01 infostealer: Navigating the malicious mad men of Facebook

Padlock against circuit board/cybersecurity background
(Image credit: Future)

Infostealer attacks are becoming an increasingly serious threat. Over the past few years, infostealer malware has increasingly become the weapon of choice for cybercriminals as a low-hanging fruit tactic to carry out high-impact data breaches due to their simplicity, vast availability, and low cost.

The Trustwave SpiderLabs Threat Intelligence team recently discovered a new version of the SYS01 infostealer during our ongoing research of malicious activity on Facebook. With over 2.9 billion monthly active users and 200 million business accounts on Facebook, this infostealer poses a significant risk.

In this campaign, hackers use malicious advertisements to steal account credentials to take over Facebook business and personal pages, as well as gain access to users' credentials, history, and cookies in web browsers. The captured information can include saved credit card info, passwords for accounts to other sites, and more. This can then lead to further rippling effects, including disruption of business operations and financial loss.

Shawn Kanady

Global Director, SpiderLabs Threat Hunt Team, Trustwave.

Expanded Facebook User Targeting

SYS01 represents a new wave of infostealer malware with more sophisticated capabilities and evasion techniques, making it a formidable threat.

Since its emergence in March 2023, SYS01 has dramatically evolved. Initially distributed through Facebook advertisements related to adult content and gaming, this new version which has been operating since September 2023, now includes ads for AI-tools and Windows themes. This evolution advances SYS01’s appearance of legitimacy and extends its reach to target the general population, making it more challenging for users to identify and avoid malicious ads.

As this malware continues to evolve and target a larger pool of potential victims, organizations should implement filtering systems to analyze ad content for signs of malware or malicious intent to help mitigate risks. It's also crucial for employees to improve their own ability to recognize spoofed ads and maintain good cybersecurity hygiene by staying informed about the latest trends and tools used by cybercriminals.

The Adaptive Nature of SYS01

SYS01 can manipulate antivirus software configurations to avoid detection and maintain presence on infected systems for extended periods. This makes it much more challenging for traditional security solutions to detect the malware. With the ability to identify virtualized environments used by security researchers for malware analysis, SYS01 can further alter its behavior or halt execution to prevent discovery by security tools.

Not only can SYS01 manipulate security tools to evade detection, but its adaptability also allows it to continue to morph and adjust to increase effectiveness with each malicious ad campaign. Leveraging calculated A/B testing, SYS01 adapts and refines its ads to maximize engagement and click-through rates and repeats use of the more successful advertisements.

Given the adaptive nature of SYS01, organizations should ensure they have host-based anti-malware tools to help detect and protect against malicious exploits. Security and IT teams can go a step further by keeping browsers and plugins up-to-date and configuring browsers and tasks to regularly delete persistent cookies to reduce the risk of session cookie theft of sensitive information. When prevention isn’t possible, audit controls can also help detect potential compromises.

One Infostealer After Another

As cybercriminals continue to innovate with their use of infostealers, maintaining vigilance and implementing robust security measures is critical.

SYS01 is just one of many infostealer threats. Many of its tactics exhibit striking similarities to other infostealers, such as Rilide. Disguising itself as a legitimate Google Drive extension, Rilide targets Chromium-based browsers – such as Google Chrome, Microsoft Edge, Brave, and Opera – leveraging Google Ads to carry out attacks that monitor browsing history and capture screenshots before injecting malicious scripts to withdraw funds from cryptocurrency exchanges.

To protect against such threats, security leaders should enforce the use of multi-factor authentication (MFA) across their organizations. This adds an extra layer of defense, making unauthorized access more difficult if and when users inadvertently click on malicious ads. Proactive monitoring with tools like endpoint detection and response, alongside MFA, enhances security by detecting anomalies and aggregating data across an organization’s IT infrastructure.

A Call for Proactive Defense

SYS01’s evolution and sophisticated capabilities underscore the growing threat posed by infostealers, particularly in its demonstrated ability to evade detection and continuously evolve. This flexibility highlights the need for cybersecurity professionals to stay ahead of the curve to effectively anticipate and mitigate future threats. By investing in robust defenses, monitoring solutions, and proactive threat hunting, organizations can better safeguard against the rising risks of infostealers and protect their digital assets from potential harm.

We've listed the best identity management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://anngonsaigon.site/news/submit-your-story-to-techradar-pro

TOPICS

Shawn Kanady, Global Director, SpiderLabs Threat Hunt Team, Trustwave.