Government Employees Being Targeted by "Sys01 Stealer" Malware

Government Employees Being Targeted by “Sys01 Stealer” Malware

Information on a data thief who has been seen targeting the Facebook accounts of key individuals in the government infrastructure has been supplied by endpoint security company Morphisec. The malware, known as Sys01 Stealer, which promotes pornographic content, games, and cracked software via bogus Facebook profiles and Google advertisements, is run on the victim’s computer via DLL side-loading.

In an original post, Bitdefender described how the “S1deload Stealer,” which targets YouTube and Facebook accounts for data collection, used identical distribution and execution strategies. However, Morphisec revealed that the ultimate payload is different. Since November 2022, Sys01 Stealer has targeted workers in a range of sectors, including manufacturing and the government, with the goal of stealing data such as login passwords, cookies, and Facebook ad and business account information.

In order to download a ZIP package that purports to include a movie, game, or application, victims are tricked into visiting a URL from an advertisement or a phony Facebook account. The archive consists of a loader, a trustworthy program that may be compromised via DLL side-loading, and a side-loaded malicious library to launch the Inno-Setup installer, which then releases the malicious PHP application that carries the payload.

While the primary stealer script contains support for a number of activities, including enabling the attackers to check whether the attacked targets have a Facebook account and whether they are logged in, a PHP script is in charge of establishing persistence by creating a scheduled job. Additionally, the script enables uploading files to the command-and-control (C&C) server, downloading files from a specific URL, and running commands.

According to Morphisec’s evaluation of the threat, the information thief used Rust, Python, PHP, and PHP advanced encoders to evade detection for the previous five months. “Basic steps to help prevent Sys01 stealer include implementing a zero-trust policy and limiting users’ rights to download and install programs. And Sys01 stealer at heart relies on a social engineering campaign, so it’s important to train users about the tricks adversaries use so they know how to spot them,” concludes Morphisec.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.