A new information stealer, known as SYS01 stealer, has been identified by cybersecurity researchers at Morphisec. The malware has been used in attacks on critical government infrastructure employees, manufacturing companies, and other sectors since November 2022.
The attack is initiated by luring victims to download a ZIP file from fake Facebook profiles and advertisements, with the malware disguised as a cracked software or game. Once the ZIP file is opened, a loader is executed, which is vulnerable to DLL side-loading, a technique used to load a malicious DLL when the legitimate app is invoked.
The experts found similarities between the SYS01 stealer and S1deload, another info stealing malware discovered by Bitdefender researchers. The campaign was first uncovered in May 2022 and was linked to the Ducktail operation by Zscaler.
The end goal of the malware is to hijack Facebook Business accounts managed by the victims, by stealing sensitive information such as login data, cookies, and Facebook ad and business account information.
SYS01stealer malware is PHP-based and can steal browser cookies and authenticated Facebook sessions to gain information from the victim’s Facebook account. The malware is also able to upload files from the infected system to the C2 server and execute commands sent by the C&C. The malicious code also supports an update mechanism.
The malware scans the machine for popular browsers such as Google Chrome, Microsoft Edge, Brave Browser, and Firefox, and extracts all stored cookies, including Facebook session cookies.
To prevent the SYS01 stealer, Morphisec recommends implementing a zero-trust policy and limiting users’ rights to download and install programs. It is also important to train users about the tricks adversaries use so they know how to spot them.
Morphisec provides indicators of compromise (IoCs) to help organizations detect and respond to the malware.
