Threat Actors Hijacking Facebook Accounts With Password Stealing Malware

Threat actors leverage social media to deploy malware, such because the SYS01 stealer, which steals Fb credentials and spreads via compromised accounts.

Social media’s reputation makes it a primary target, and stolen credentials are treasured for further attacks delight in ransomware deployment or data exfiltration.

Since particular person behavior is difficult to manipulate, safety measures delight in multi-sing authentication and stable detection are mandatory. Without these measures, attackers can bypass safety and originate pretty numerous attacks utilizing decent accounts.

SYS01, a no longer too long ago stumbled on infostealer, targets browser data and Fb accounts. To evade detection, it has been modified since its introduction in March 2023 and makes use of malvertising on pretty numerous platforms to trick users into downloading the malware.

The malware then steals browser data, along with login credentials and cookies. Its ability to rob salvage entry to tokens for Fb accounts, critically those managing enterprise pages, is amazingly touching on.

It enables attackers to hijack these accounts and further propagate malware via malvertising.

By targeting unsuspecting users and compromising both current and established Fb enterprise accounts, SYS01 disrupts operations and presumably leads to financial losses.

Infostealer SYS01 uses malvertising campaigns with diversified lures to trick victims.

In September 2023, it at the origin offered free downloads of standard games, however now the campaigns address Windows topics delight in Sora AI and taskbar topics.

Trustwave states each advertising and marketing and marketing campaign has a diversified sign, with “blue-softs” having the most ads (~8,100) on Fb.

Clicking the ads redirects users to Google Sites or Appropriate Web hosting landing pages, which probably host the infostealer malware.

Adversaries are utilizing a power-by compromise assault with malvertising on Fb.

Clicking a disguised download button redirects users to a malicious domain, whereas the URL construction entails a advertising and marketing and marketing campaign sign (?t={Price}) to categorize and arrange diversified malware variations in accordance with the sufferer profile or advertising and marketing and marketing campaign targets.

Identified tags encompass “superior”, “soraaiv2”, “tbthemes”, “3dimg”, and “taskbarthemes2024”, allowing attackers to trace advertising and marketing and marketing campaign effectiveness and tailor malicious activities.

SYS01 malware is evolving its provide the model to target a wider target audience via social media ads delight in Windows topics. It leverages decent-sounding domains to deploy malicious payloads and uses PHP variants to evade detection.

The attackers use a complex assault chain with C2 domain generation, data extraction, and Fb memoir hijacking via tokens.

The malware additionally makes use of business instruments to attain persistence on contaminated programs, as SYS01 namely targets hijacking Fb enterprise accounts to maximise its attain and ruin the recognition of affected companies.