Firms around the world are under the threat of SYS01 stealer

Morphisec has discovered a new stealer named SYS01, which targets government employees, manufacturing companies, and several other sectors worldwide.

“The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file,” Morphisec said.

SYS01stealer Will Steal Your Facebook Infohttps://t.co/LAi1SAQ1Oy

— Morphisec (@morphisec) March 7, 2023

The threat actors behind the campaign are targeting 

• Facebook business accounts by using Google ads 
• Fake Facebook profiles that promote things like games, adult content, cracked software, etc., to lure victims into downloading malicious files. 
• The attack steals sensitive information, including login data, cookies, and Facebook ad and business account information. 

Modus operandi: how do they do it

A PHP version of an information-stealing malware called Ducktail has been discovered in the wild, distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler.

According to the most recent research from Zscaler, a PHP variant of the data-stealing malware known as Ducktail has been seen in the cracked installers for legal apps and games.

— BAV CASTLE (@BavCastle) October 18, 2022

The stealer is engineered to harvest Facebook cookies:

• Chromium-based web browsers (e.g., Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi), 
• Sends the victim’s Facebook information to a remote server and downloads and runs arbitrary files.
• Equipped to upload files from the infected host to the command-and-control (C2) server, run commands sent by the server, and update itself when a new version is available.
• S1deload that’s designed to hijack users’ Facebook and YouTube accounts and leverage the compromised systems to mine cryptocurrency.
• DLL side loading to infect with malicious codes

Morphisec said: “When an application loads in memory and search order is not enforced, the application loads the malicious file instead of the legitimate one, allowing threat actors to hijack legitimate, trusted, and even signed applications to load and execute malicious payloads.”

Combat SYS01 stealer

SYS01 stealers use DLL side loading, a very efficient technique to install malware and steal information. Here are a few steps to prevent SYS01:

• Always use the latest version of the software: The latest version of a software application may include patches or fixes for known vulnerabilities, including those related to DLL side loading.

• Enable application whitelisting: Application whitelisting involves creating a list of approved applications that can run on a system. This can prevent unapproved applications, including those that use DLL side loading techniques, from executing.

• Use digital signatures: Digitally signing DLL files can help ensure they have not been tampered with and are from a trusted source. This can prevent the loading of malicious DLL files.

• Implement strict file system permissions: Setting strict file system permissions can prevent unauthorized access to DLL files and prevent them from being replaced with malicious versions.

• Use runtime protection tools: Runtime protection tools such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) or Windows Defender Exploit Guard can provide additional protection against DLL side loading attacks by detecting and blocking suspicious behavior.

Concluding thoughts

Humans fall for all such threats because of their curious nature. It is always important to be vigilant as an individual and an organization. For such critical stealing technologies, it is always better to follow defense in depth procedures, which include security tools like next-generation anti-virus (NGAV), endpoint protection platforms (EPP), and endpoint detection and response (EDR, XDR, and MDR).