In a new report, Israeli cybersecurity company Morphisec has shared details on a new information stealer that they have dubbed SYS01stealer. This new malicious software is targeting critical government infrastructure employees, manufacturing companies, and other sectors.
According to Morphisec, the threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software. The goal is to lure victims into downloading a malicious file. Once the file is downloaded, it allows the attackers to steal sensitive information, including login data, cookies, and Facebook ad and business account information.
Morphisec's report notes that the campaign was initially tied to a financially motivated cybercriminal operation dubbed Ducktail by Zscaler. However, WithSecure, which first documented the Ducktail activity cluster in July 2022, said the two intrusion sets are different from one another. This indicates how the threat actors managed to confuse attribution efforts and evade detection.
The attack chain, per Morphisec, commences when a victim is successfully lured into clicking on a URL from a fake Facebook profile or advertisement to download a ZIP archive that purports to be cracked software or adult-themed content. Opening the ZIP file launches a based loader – typically a legitimate C# application – that's vulnerable to DLL side-loading, thereby making it possible to load a malicious dynamic link library (DLL) file alongside the app.
This is yet another example of how cybercriminals are using social engineering techniques to take advantage of people. It's important to be aware of these types of attacks and to know how to protect yourself. When downloading files, be sure that you trust the source. If you're not sure, do some research to make sure that the file is safe. Also, be sure to have a good antivirus program installed on your computer and to keep it up-to-date.