Cybercriminals have been using Facebook business pages and
advertisements to promote fake Windows themes that infect unsuspecting users
with the SYS01 password-stealing malware. Researchers observed that the threat
actors also promote fake downloads for pirated games and software, Sora AI, 3D
image creator, and One Click Active. While using Facebook advertisements to
push information-stealing malware is not new, the social media platform's
massive reach makes these campaigns a significant threat.
The threat actors take out advertisements that promote
Windows themes, free game downloads, and software activation cracks for popular
applications, like Photoshop, Microsoft Office, and Windows. These
advertisements are promoted through newly created Facebook business pages or by
hijacking existing ones. When using hijacked Facebook pages, the threat actors
rename them to suit the theme of their advertisement and to promote the
downloads to the existing page members.
The threat actors assume the business identity by renaming
the Facebook pages, allowing them to leverage the existing follower base to
amplify the reach of their fraudulent advertisement significantly. Each of
these pages was administered by individuals situated in either Vietnam or the
Philippines at various points in time. The top campaigns were named blue-softs
(8,100 ads), xtaskbar-themes (4,300 ads), newtaskbar-themes (2,200 ads), and
awesome-themes-desktop (1,100 ads).
When a Facebook user clicks on the ad, they are brought to
webpages hosted on Google Sites or True Hosting that pretend to be download
pages for the advertisement's promoted content. The True Hosting pages are
primarily used to promote a website called Blue-Software, which offers
allegedly free software and game downloads.
Clicking on the 'Download' buttons will cause the browser to
download a ZIP archive named after the particular item. For example,
downloading the fake Windows themes would deliver an archive named
'Awesome_Themes_for_Win_10_11.zip', and Photoshop would be
'Adobe_Photoshop_2023.zip.'
While downloaders may think they are now getting a free
application, game, or Windows theme, the archive actually contains the SYS01
information-stealing malware. This malware was first discovered in 2022 and
utilizes a collection of executables, DLLs, PowerShell scripts, and PHP scripts
to steal data from an infected computer. When the archive's main executable is
loaded, it uses DLL sideloading to load a malicious DLL that begins setting up
the malware's operating environment.
This includes running PowerShell scripts to prevent the
malware from running in a virtualized environment to evade detection, adding
folder exclusions in Windows Defender, and configuring a PHP operating
environment to load malicious PHP scripts. The SYS01 information-stealing
malware's primary payload consists of PHP scripts that create scheduled tasks
for persistence and steal data from the device. The stolen data includes
browser cookies, credentials saved in the browser, browser history, and cryptocurrency
wallets.
The malware also includes a task that utilizes Facebook
cookies found on the device to steal account information from the social media
site, including personal profile information, detailed advertising account
data, and Facebook pages managed by the user. The stolen data is temporarily
stored in the %Temp% folder before being sent to the attackers. The stolen
cookies and passwords can later be sold to other threat actors or used to
breach further accounts owned by the victim, while the Facebook data is likely
used to hijack further accounts for future malvertising campaigns.
This malvertising is not only confined to Facebook, with
similar profiles set up on LinkedIn and YouTube. The ongoing SYS01
malvertisement campaign poses a threat to a wider audience and shows the
importance of being aware of what users do in social media. Since it was first
observed in 2022, the SYS01 malware has shifted its delivery method by moving
away from adult-themed clickbaits and game-related ads to an approach that
targets the general audience with Windows themes and AI-based software tools advertisements.
It's essential to stay vigilant when browsing social media
platforms and to avoid clicking on suspicious ads. Additionally, using a
reputable smm panel can help you manage your social media presence and avoid
falling victim to such scams.
With the rise of malvertising campaigns, it's crucial to
prioritize online security and use a reliable smm panel to monitor your online
activities. By being cautious and taking the necessary precautions, you can
protect yourself from falling victim to these types of attacks. Don't forget to
use a trusted smm panel to manage your social media presence and avoid falling
victim to such scams.
Are you looking to boost your social media presence? Look no
further than Great SMM, your one-stop-shop for all your smm needs. From likes
to followers, comments, and more, we've got you covered. Shop now and take your
social media game to the next level!