1.0 Introduction
Security researchers identified a new malvertising campaign exploiting Meta’s advertising platform to spread the SYS01 infostealer malware. The threat targets Meta, particularly Facebook users, especially men aged 45 and above, to steal their personal information. The scope of this attack is global, with potentially millions of victims, covering regions such as the EU, North America, Australia, and Asia. This campaign was first detected in September 2024 due to its impersonation tactics and exploitation of famous brands. The attackers mimic several trusted brands, including productivity tools like Office 365, creative software like Canva and Adobe Photoshop, VPN services like ExpressVPN, streaming platforms like Netflix, messaging apps like Telegram, and even popular video games like Super Mario Bros Wonder.
SYS01 Infostealer is a type of malware sold as ‘malware-as-a-service’ (MaaS), which can be purchased or rented on dark web marketplaces, making it accessible to threat actors. It is designed to steal sensitive information from infected systems, posing a significant threat to individuals and organisations. It primarily targets credentials, personal data and other valuable information stored on browsers and applications. SYS01 infostealer is commonly spread through phishing emails and malicious ads on social media. It often operates covertly to avoid detection, sometimes even running directly from memory in a fileless manner. Once installed, it connects to the Command and Control (C2) server, allowing attackers to monitor and exfiltrate data continuously from infected systems.
2.0 Impact
Successful malware execution on victims’ computers allows sensitive information from web browsers, including payment details, login credentials, system information, and autocomplete data, to be stolen from the victims’ computers. In addition, the malware can take inventory of the target machine, gathering information on the user, location, hardware, and installed security software.
3.0 Technical Details
The primary goal of the SYS01 infostealer is to harvest Facebook credentials, particularly those associated with business accounts. The compromised accounts are then used for further attacks and potentially malicious activities. The attack also leverages the advertising capabilities of hijacked accounts, allowing attackers to create new malicious ads that appear more legitimate and easily bypass security filters. This creates a self-sustaining cycle where stolen accounts are used to spread the malware even further. The stolen credentials are also likely sold on underground marketplaces, further enriching the criminals.
Figure 1: Fake Netflix, Super Mario Bros. Wonder, and other malicious ads are currently being used in the campaign.
Another approach is reusing malicious domains that impersonated a generic video game download platform (containing well-known titles or recent hits like Black Myth: Wukong). The threat actors also changed the download mechanism to newer samples similar to those obtained from previous ads.
Figure 2: Reusing malicious domains impersonating a generic video game download platform.
After acquiring and using the malware, hackers sell the stolen information to other hackers specialising in online fraud in dark web forums, allowing them to concentrate on their illegal business model.
3.1 Modus Operandi
The modus operandi of the SYS01 infostealer malware is stealing stored credentials, cookies, session tokens, and browser data, mainly focusing on Facebook business accounts, which it can hijack to further spread through social networks. Hijacked accounts are often repurposed to distribute malicious content, extending the malware’s reach. This malware points victims through malicious ads, disguising them as popular software, game cracks, or AI tools. Once users click on these malicious ads, they are redirected to pages hosting malicious ZIP files. If opened, these files download the malware that uses DLL sideloading to avoid detection and gain persistence on the infected system, as shown in Figures 3 and 4.
Figure 3: Example Facebook post advertising to download Netflix.
Figure 4: Redirected pages which host malicious ZIP files.
The ads typically point to a MediaFire link or refer to one that allows the direct download of malicious software. The samples are obtained as a .zip archive containing an Electron application. While the structure of the extracted archive might differ, depending on the sample, the infection method remains the same: the Javascript code embedded in the Electron app will end up dropping and executing malicious software. In many cases, the malware runs in the background while a decoy app—often mimicking the ad-promoted software—appears to function normally, making it difficult for the victim to realise they’ve been compromised. The above malicious file is password protected; nevertheless, a password is attached to the FB posts, as seen in the sample post in Figures 3 and 4, to enable opening the file. Password-protecting malicious files is commonly used by perpetrators to evade detection.
4.0 Indicators of Compromise (IOCs)
Malware Hosting Domains
- hxxps://krouki.com
- hxxps://kimiclass.com
- hxxps://goodsuccessmedia.com
- hxxps://wegoodmedia.com
- hxxps://socialworldmedia.com
- hxxps://superpackmedia.com
- hxxps://wegoodmedia.com
- hxxps://eviralmedia.com
- hxxps://gerymedia.com
- hxxps://wakomedia.com
C2 Domains
- hxxps://musament.top
- hxxps://enorgutic.top
- hxxps://untratem.top
- hxxps://matcrogir.top
- hxxps://ubrosive.top
- hxxps://wrust.top
- hxxps://lucielarouche.com
- hxxps://ostimatu.top
5.0 Recommendations
CyberSecurity Malaysia recommends users and administrators review this advisory and take below recommended mitigations for immediate protection against the impact of SYS01 infostealer and other infostealer malware incidents.
- Internet users must be vigilant of the risks of downloading and operating files from unknown sources.
- Be cautious about clicking on ads that offer free downloads or seem too good to be true, even on trusted platforms like Meta. Always verify the source before downloading any software.
- Users must always refer to the respective vendor websites to download applications provided by the respective vendors.
- Users should be wary and suspicious of applications circulated on social media for downloads.
- Users must not simply click on any links or executables they receive via social media and other messaging applications.
- Enable and use up-to-date anti-virus software to detect and remove malicious files before they can cause any damage.
- Enable Two-Factor Authentication (2FA). Ensure 2FA is enabled on your Facebook account, particularly if you use it for business purposes. This will add an extra layer of security in case your credentials are compromised.
- Do regular security updates and patches.
- Monitor Your Facebook Business Accounts. Regularly check your business accounts for unauthorised access or suspicious activity. If you see unusual behaviour, report it immediately to Facebook and change your login credentials.
- Contact relevant authorities such as CyberSecurity Malaysia for inquiries and assistance related to cyber threats or suspicious activities users observe online.
- Users are also encouraged to report to the Service Providers or the social media platform directly concerning the circulation of posts or ads with suspicious links.
Generally, CyberSecurity Malaysia advises users to be updated with the latest security announcements by the vendor and to follow best practice security policies to determine which updates should be applied.
For further enquiries, don't hesitate to get in touch with Cyber999 through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my
6.0 References
- https://hackread.com/fake-meta-ads-hijacking-facebook-sys01-infostealer/
- https://www.bitdefender.com/en-gb/blog/labs/unmasking-the-sys01-infostealer-threat-bitdefender-labs-tracks-global-malvertising-campaign-targeting-meta-business-pages/
- https://thehackernews.com/2024/10/malvertising-campaign-hijacks-facebook.html
- https://www.scworld.com/brief/new-facebook-targeted-malvertising-deploys-sys01-infostealer