Information on a data thief who has been seen targeting the Facebook accounts of key individuals in the government infrastructure has been supplied by endpoint security company Morphisec. The malware, known as Sys01 Stealer, which promotes pornographic content, games, and cracked software via bogus Facebook profiles and Google advertisements, is run on the victim’s computer via DLL side-loading.
In an original post, Bitdefender described how the “S1deload Stealer,” which targets YouTube and Facebook accounts for data collection, used identical distribution and execution strategies. However, Morphisec revealed that the ultimate payload is different. Since November 2022, Sys01 Stealer has targeted workers in a range of sectors, including manufacturing and the government, with the goal of stealing data such as login passwords, cookies, and Facebook ad and business account information.
In order to download a ZIP package that purports to include a movie, game, or application, victims are tricked into visiting a URL from an advertisement or a phony Facebook account. The archive consists of a loader, a trustworthy program that may be compromised via DLL side-loading, and a side-loaded malicious library to launch the Inno-Setup installer, which then releases the malicious PHP application that carries the payload.
While the primary stealer script contains support for a number of activities, including enabling the attackers to check whether the attacked targets have a Facebook account and whether they are logged in, a PHP script is in charge of establishing persistence by creating a scheduled job. Additionally, the script enables uploading files to the command-and-control (C&C) server, downloading files from a specific URL, and running commands.
According to Morphisec’s evaluation of the threat, the information thief used Rust, Python, PHP, and PHP advanced encoders to evade detection for the previous five months. “Basic steps to help prevent Sys01 stealer include implementing a zero-trust policy and limiting users’ rights to download and install programs. And Sys01 stealer at heart relies on a social engineering campaign, so it’s important to train users about the tricks adversaries use so they know how to spot them,” concludes Morphisec.
