Malicious Windows Themes Ads on Facebook Spread Info-Stealing Malware

Cybercriminals have been using Facebook business pages and advertisements to promote fake Windows themes that infect unsuspecting users with the SYS01 password-stealing malware. Researchers observed that the threat actors also promote fake downloads for pirated games and software, Sora AI, 3D image creator, and One Click Active. While using Facebook advertisements to push information-stealing malware is not new, the social media platform's massive reach makes these campaigns a significant threat.

The threat actors take out advertisements that promote Windows themes, free game downloads, and software activation cracks for popular applications, like Photoshop, Microsoft Office, and Windows. These advertisements are promoted through newly created Facebook business pages or by hijacking existing ones. When using hijacked Facebook pages, the threat actors rename them to suit the theme of their advertisement and to promote the downloads to the existing page members.

The threat actors assume the business identity by renaming the Facebook pages, allowing them to leverage the existing follower base to amplify the reach of their fraudulent advertisement significantly. Each of these pages was administered by individuals situated in either Vietnam or the Philippines at various points in time. The top campaigns were named blue-softs (8,100 ads), xtaskbar-themes (4,300 ads), newtaskbar-themes (2,200 ads), and awesome-themes-desktop (1,100 ads).

When a Facebook user clicks on the ad, they are brought to webpages hosted on Google Sites or True Hosting that pretend to be download pages for the advertisement's promoted content. The True Hosting pages are primarily used to promote a website called Blue-Software, which offers allegedly free software and game downloads.

Clicking on the 'Download' buttons will cause the browser to download a ZIP archive named after the particular item. For example, downloading the fake Windows themes would deliver an archive named 'Awesome_Themes_for_Win_10_11.zip', and Photoshop would be 'Adobe_Photoshop_2023.zip.'

While downloaders may think they are now getting a free application, game, or Windows theme, the archive actually contains the SYS01 information-stealing malware. This malware was first discovered in 2022 and utilizes a collection of executables, DLLs, PowerShell scripts, and PHP scripts to steal data from an infected computer. When the archive's main executable is loaded, it uses DLL sideloading to load a malicious DLL that begins setting up the malware's operating environment.

This includes running PowerShell scripts to prevent the malware from running in a virtualized environment to evade detection, adding folder exclusions in Windows Defender, and configuring a PHP operating environment to load malicious PHP scripts. The SYS01 information-stealing malware's primary payload consists of PHP scripts that create scheduled tasks for persistence and steal data from the device. The stolen data includes browser cookies, credentials saved in the browser, browser history, and cryptocurrency wallets.

The malware also includes a task that utilizes Facebook cookies found on the device to steal account information from the social media site, including personal profile information, detailed advertising account data, and Facebook pages managed by the user. The stolen data is temporarily stored in the %Temp% folder before being sent to the attackers. The stolen cookies and passwords can later be sold to other threat actors or used to breach further accounts owned by the victim, while the Facebook data is likely used to hijack further accounts for future malvertising campaigns.

This malvertising is not only confined to Facebook, with similar profiles set up on LinkedIn and YouTube. The ongoing SYS01 malvertisement campaign poses a threat to a wider audience and shows the importance of being aware of what users do in social media. Since it was first observed in 2022, the SYS01 malware has shifted its delivery method by moving away from adult-themed clickbaits and game-related ads to an approach that targets the general audience with Windows themes and AI-based software tools advertisements.

It's essential to stay vigilant when browsing social media platforms and to avoid clicking on suspicious ads. Additionally, using a reputable smm panel can help you manage your social media presence and avoid falling victim to such scams.

With the rise of malvertising campaigns, it's crucial to prioritize online security and use a reliable smm panel to monitor your online activities. By being cautious and taking the necessary precautions, you can protect yourself from falling victim to these types of attacks. Don't forget to use a trusted smm panel to manage your social media presence and avoid falling victim to such scams.

Are you looking to boost your social media presence? Look no further than Great SMM, your one-stop-shop for all your smm needs. From likes to followers, comments, and more, we've got you covered. Shop now and take your social media game to the next level!