rss-bridge 2024-10-30T12:59:33+00:00

Unmasking the SYS01 Infostealer Threat: Bitdefender Labs Tracks Global Malvertising Campaign Targeting Meta Business Pages

In a world ran by advertising, businesses and organizations are not the only ones using this powerful tool. Cybercriminals have a knack for exploiting the engine that powers online platforms by corrupting the vast reach of advertising to distribute malware en masse.

While legitimate businesses rely on ads to reach new audiences, hackers exploit these platforms to trick users into downloading harmful software. Malicious ads often seem to promote legitimate software, streaming services, or produc

For HomeFor BusinessFor Partners

Ionut Alexandru BALTARIU
Nicolae POSTOLACHI
Alina BÎZGĂ

October 30, 2024

[Unmasking the SYS01 Infostealer Threat: Bitdefender Labs Tracks Global Malvertising Campaign Targeting Meta Business Pages]

Bitdefender Labs has been tracking malvertising for years, analyzing how cybercriminals use these tactics to target people across the globe. Our latest research focuses on a growing campaign leveraging Meta’s advertising platform to spread SYS01 InfoStealer malware.

This ongoing attack impersonates popular brands to distribute malware that steals personal data, The scale and sophistication of this malvertising campaign highlight how far cybercriminals have come in weaponizing ads for their own gain.

In this article, we’ll explore how the SYS01 campaign works, the cybercriminal model that fuels it, and how hackers use hijacked accounts to keep the operation running. We’ll also offer some crucial tips on how users can protect against it.

Key Findings:

Ongoing Attack: The malvertising campaign that has been wreaking havoc on Meta platforms for at least a month is continuously evolving, with new ads appearing daily. The SYS01 InfoStealer malware has become a central weapon in this campaign, effectively targeting victims across multiple platforms.
ElectronJs Delivery and Broadened Impersonation: Compared to previous malvertising campaigns, the SYS01 malware is now delivered through an ElectronJs application. To maximize reach, threat actors have begun impersonating a wide range of well-known software tools, increasing the likelihood of targeting a broader user base.
Extensive Use of Malicious Domains: The malvertising campaign leverages nearly a hundred malicious domains, utilized not only for distributing the malware but also for live command and control (C2) operations, allowing threat actors to manage the attack in real time.
Mass Brand Impersonation: The hackers behind the campaign use trusted brands to expand their reach. Bitdefender Labs researchers noticed hundreds of ads impersonating popular video editing software like CapCut, productivity tools like Office 365, video streaming services such as Netflix, and even video games are being used to entice users. The widespread impersonation increases the likelihood of drawing in a broad audience, making the campaign highly effective.
Global Reach: The scope of this attack is global, with potential victims in the millions, spanning regions such as the EU, North America, Australia, and Asia – particularly males aged 45 and above. While Meta provides some data on ad impact within the EU, there is limited transparency on how these malicious ads are affecting users outside this region, especially in the US.
Dynamic Evasion Tactics: Threat actors continuously evolve their strategies, adapting malicious payloads almost in real time to avoid detection. Once antivirus companies detect and block a version of the malware dropper, hackers enhance obfuscation methods and re-launch new ads with updated versions.

The malicious advertising campaign

While malware distributed through social media ads is not an innovation in the criminal cyberspace, a campaign that started in September stood out through the malicious samples that were distributed and because of the generic impersonation approach used by the cybercriminals. Bitdefender has previously analyzed infostealers that were distributed through ads that impersonated Artificial Intelligence software or that promised “provocative” content.

In the current campaign, the threat actors impersonate a multitude of software tools related to productivity, video or photo editing (Capcut, Canva, Adobe Photoshop), virtual private networks (Express VPN, VPN Plus) movie streaming services such as Netflix, instant messaging software such as Telegram and even video games.

Some ads might end up running for weeks, targeting mainly senior men.

In terms of what video games were impersonated, we have observed two approaches. The first was promoting Super Mario Bros Wonder advertisements, directly offering malicious samples.

The second approach was reusing malicious domains, that impersonated a generic video game download platform (containing well known titles or recent hits like Black Myth: Wukong). The threat actors also changed the download mechanism newer samples that were similar to the ones obtained from previous ads.

Considering the multitude of impersonated entities, the number of distributed ads, which is in the thousands, and the reach of particular ads of tens of thousands of people, it would be safe to say that this malicious advertising infrastructure could reach millions of people. Even if most of the audience does not interact with the advertisements or does not download the malicious samples, such a large potential victim pool virtually guarantees success.

Distribution Tactics of the SYS01 Infostealer Malvertising Campaign

The ads typically point to a MediaFire link or refer to one that allows the direct download of malicious software. The samples are obtained in the form of a .zip archive which contains an Electron application. While the structure of the extracted archive might differ, depending on the sample, the infection method remains the same: the Javascript code embedded in the Electron app will end up dropping and executing malicious software.

In many cases, the malware runs in the background while a decoy app—often mimicking the ad-promoted software—appears to function normally, making it difficult for the victim to realize they’ve been compromised.

Applications created using the Electron framework are bundled into ASAR archives (Atom Shell Archive Format). All extracted archives either contained an app.asar file, or directly included the ASAR file into the main executable. The ASAR archive contains, besides the usual application icons, plenty of suspicious files:

Another archive that is password protected;
A legitimate archiving/unarchiving executable (for example, 7za.exe - c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf, which is a standalone version of 7zip);
A main.js file which contains obfuscated code;
[Optional] PowerShell scripts used as intermediaries;
A text file containing well-known GPU models.

Upon deobfuscating the JavaScript file, it becomes apparent that a PowerShell command is used to execute standalone 7zip, enabling the extraction of the password-protected archive.

The executed PowerShell script contains another execution command between some seemingly unrelated operations (used to avoid detection and/or further complicate analysis):

However, before doing this, the main.js script checks if it is executed in a sandbox by enumerating the GPUs of the host:

The response of the PowerShell command is then cross-checked with the GPU models contained in the packed text file. If the GPU model is not in the predefined list, nothing malicious ends up being executed.

Newer versions of the malicious main.js directly execute the unzipping process, skipping the intermediary PowerShell scripts (_0x3ddef2 leads to the 7zip executable):

[...]

*Original source*