In a concerning development, cybercriminals are leveraging Facebook business pages and advertisements to disseminate fake Windows themes that infect users with the SYS01 password-stealing malware. Trustwave researchers have identified these campaigns, which also promote fraudulent downloads of pirated games, software, Sora AI, a 3D image creator, and One Click Active.
The Reach and Threat of Facebook Ads
Although using Facebook ads to spread malware is not a novel tactic, the extensive reach of the social media platform amplifies the threat of these campaigns significantly. Cybercriminals either create new Facebook business pages or hijack existing ones to run ads promoting Windows themes, free game downloads, and software activation cracks for popular applications such as Photoshop, Microsoft Office, and Windows.
Hijacking and Repurposing Facebook Pages
By renaming hijacked Facebook pages to align with their fraudulent themes, threat actors can exploit the existing follower base to broaden the reach of their malicious advertisements. According to the Trustwave report, "The threat actors assume the business identity by renaming the Facebook pages, allowing them to leverage the existing follower base to amplify the reach of their fraudulent advertisement significantly." These pages have been managed by individuals in Vietnam and the Philippines at various times.
Large-Scale Advertising Campaigns
Trustwave reports that cybercriminals run thousands of ads per campaign. Prominent campaigns include blue-softs (8,100 ads), xtaskbar-themes (4,300 ads), newtaskbar-themes (2,200 ads), and awesome-themes-desktop (1,100 ads). Users clicking on these ads are redirected to fake download pages hosted on Google Sites or True Hosting, which promote a website called Blue-Software, offering supposedly free software and game downloads.
The Malware Delivery Mechanism
When users click on the 'Download' buttons, a ZIP archive is downloaded, misleadingly named after the advertised content, such as 'Awesome_Themes_for_Win_10_11.zip' or 'Adobe_Photoshop_2023.zip.' Instead of legitimate software, the archive contains the SYS01 information-stealing malware. This malware, first discovered by Morphisec in 2022, comprises executables, DLLs, PowerShell scripts, and PHP scripts to install itself and exfiltrate data from infected systems.
Malware Execution and Data Theft
Upon executing the archive's main file, the malware uses DLL sideloading to initiate a malicious DLL, setting up its operational environment. This involves running PowerShell scripts to evade detection, adding exclusions in Windows Defender, and configuring a PHP environment for malicious scripts. The primary payload, PHP scripts, creates scheduled tasks for persistence and steals data, including browser cookies, saved credentials, browsing history, and cryptocurrency wallets.
Additionally, the malware uses Facebook cookies from the infected device to extract sensitive information from the user's Facebook account, including:
• Personal profile information (name, email, birthday)
• Detailed advertising account data (spending and payment methods)
• Business and ad account data, highlighting access to commercial and financial information
• Information about Facebook pages managed by the user (follower counts, roles)
Broader Implications and Security Recommendations
The stolen data is temporarily stored in the %Temp% folder before being exfiltrated to the attackers. The stolen cookies and passwords can be sold to other cybercriminals or used to compromise further accounts, while hijacked Facebook data is likely used for additional malvertising campaigns.
Trustwave highlights that this malvertising campaign extends beyond Facebook, with similar profiles observed on LinkedIn and YouTube. "The ongoing SYS01 malvertisement campaign poses a threat to a wider audience and underscores the importance of user awareness on social media," Trustwave concludes. Since its initial observation in 2022, the SYS01 malware has evolved from targeting adult-themed clickbaits and game-related ads to broader themes like Windows themes and AI-based software tools.
In February, Trustwave reported a similar campaign involving the Ov3r_Stealer password-stealing malware. Recently, Bitdefender warned of hijacked Facebook pages impersonating popular AI projects to distribute information-stealing malware like Rilide, Vidar, IceRAT, and Nova.
To Sum Up
As cyber threats continue to evolve, it's crucial for users and organisations to stay vigilant and implement robust cyber security measures. Educating users about the risks associated with clicking on ads and downloading software from unverified sources can help mitigate the risk of malware infections and data breaches.
