In a recent revelation, cybersecurity experts have identified a pernicious advertising campaign that exploits Meta’s platform, utilizing compromised Facebook accounts to proliferate SYS01stealer malware.
“The architects of this campaign cleverly manipulate the trust established by reputable brands to maximize their reach,” disclosed Bitdefender Labs in an assessment shared with The Hacker News.
Leveraging nearly one hundred insidious domains, this campaign serves as a conduit for both malware distribution and live command-and-control (C2) interactions, empowering cybercriminals to micromanage the attack as it unfolds.
First exposed by Morphisec in early 2023, SYS01stealer specifically targets Facebook business accounts. The attackers employ Google ads and fictitious Facebook profiles that endorse games, adult material, and pirated software, aiming to acquire login credentials, browsing history, and cookies. Particularly troubling is its focus on extracting data from Facebook business and advertising accounts, data subsequently weaponized to sustain and intensify the malware’s reach through counterfeit ads.
According to Bitdefender, commandeered Facebook accounts serve as the campaign’s backbone, allowing each compromised account to fuel further malicious advertising without necessitating new accounts—a tactic that amplifies the operation’s scope exponentially.
The malware propagates primarily through misleading ads across platforms such as Facebook, YouTube, and LinkedIn, hawking Windows themes, games, AI utilities, photo editors, VPNs, and streaming services. A substantial number of these ads target men over 45, luring victims into clicking under the pretense of trusted brands and stealing browser data.
Trustwave’s analysis from July 2024 notes the alarming potential of this strategy: victims who interact with these ads may unwittingly surrender control of their Facebook accounts, allowing cybercriminals to perpetuate a cycle of deceptive advertising and data theft.
Unsuspecting users redirected by these ads often encounter imitation sites hosted on Google Sites or True Hosting, designed to mimic reputable brands and applications, effectively initiating the infection. At the initial stage, these sites distribute a ZIP file containing a harmless executable, which then sideloads a malicious DLL, setting off a chain of actions.
This chain includes executing PowerShell commands to bypass sandboxing, adjusting Microsoft Defender Antivirus to evade detection, and establishing a suitable environment for deploying the PHP-based stealer.
Recent iterations of the malware, observed by a Romanian cybersecurity firm, employ an Electron application within ZIP files, underscoring the attackers’ adaptability. This version utilizes an Atom Shell Archive (ASAR) to conceal a JavaScript file (“main.js”) which executes PowerShell commands to scrutinize the environment and activate the stealer. Persistence on the host machine is achieved via scheduled tasks.
Bitdefender warns of the evolving threat posed by the perpetrators behind SYS01stealer: “The adaptable nature of these cybercriminals renders the SYS01 campaign particularly insidious, as it employs sandbox evasion to thwart detection, ensuring it remains concealed from scrutiny.”
As cybersecurity firms counter the malware by identifying and blocking loader versions, hackers respond nimbly, revising code and launching fresh ads embedded with new variants designed to circumvent the latest defenses.
Eventbrite Phishing Campaigns
Simultaneously, Perception Point has flagged a spate of phishing operations exploiting Eventbrite, utilizing the event and ticketing platform as a springboard for financial and personal data theft.
These campaigns leverage emails, urging recipients to address an outstanding payment or confirm a delivery address by following an embedded link. This link then requests users’ login credentials and credit card information.
Perpetrators establish legitimate Eventbrite accounts and fabricate events under the guise of trusted brands, embedding phishing links within event descriptions or attachments, which are then dispatched to unsuspecting recipients.
“Because the emails originate from Eventbrite’s verified domain, they evade spam filters and appear more authentic, increasing the likelihood recipients will click through to the malicious link,” notes Perception Point. This misuse of Eventbrite’s infrastructure allows attackers to bypass conventional defenses, achieving impressive delivery and engagement rates.
A New Wave of Cryptocurrency Fraud
Lastly, cybersecurity observers have highlighted an uptick in crypto fraud schemes masquerading as job offers that ostensibly allow individuals to earn remotely. Scammers target users through social media, SMS, and messaging apps like WhatsApp and Telegram, claiming association with notable brands like Spotify, TikTok, and Temu.
Once users express interest, they are directed to a dubious website to register using a referral code. They’re subsequently instructed to complete tasks—such as leaving fabricated reviews, placing orders, streaming specific songs on Spotify, or reserving hotel rooms.
These scams unravel when the users’ purported earnings plummet into the negative, compelling them to “top up” their accounts with their cryptocurrency under the guise of earning further bonuses.
“The scam endures as long as the perpetrators believe the victim will continue investing,” explain researchers at Proofpoint. If the scammers detect skepticism, they sever all contact and lock the victim’s account.
These schemes, attributed with high confidence to cybercriminals specializing in romance-based crypto fraud, underscore the vast reach and profitability of brand manipulation in cybercrime.