Designed to appeal to the widest range of potential victims, the malware ads are also being updated continuously to evade tracking

Popular software costs a lot, and people are always looking for good deals. When they come across social media ads that offer the software for free or at great prices, they may pounce on the opportunity, only to find out that the ad was designed only to steal personal details and sensitive data.

That is what researchers are monitoring right now. The malvertising campaign has been named the SYS01 infostealer, and it has been targeting victims across multiple platforms such a Meta.

The campaign possesses the following characteristics:

  • Compared to previous malvertising campaigns, SYS01 is now delivered through an ElectronJs cross-platform browser application. To maximize reach, threat actors have begun impersonating a wide range of well-known software tools, increasing the likelihood of targeting a broader user base.
  • The malvertising campaign leverages nearly a hundred malicious domains, utilized not only for distributing the malware but also for live command and control (C2) operations, allowing threat actors to manage the attack in real time.
  • Trusted products and brands are featured in the malvertisements to attract more victims. This includes video editing software such as CapCut; Virtual Private Network tools, and video streaming services such as Netflix, among many other types of software.
  • The malicious ads typically point to a MediaFire link or refer to one that allows the direct download of malicious zip or self-extracting archives that end up dropping and executing encrypted malicious code behind a decoy app that partially mimics what the victim is expecting.
  • Each compromised account can be repurposed to promote additional malicious ads, amplifying the reach of the campaign without the hackers needing to create new Facebook accounts themselves. This is a cost-effective and time-efficient way to consistently drive traffic to malicious downloads.
  • The scope of SYS01 is global, with potential victims in the millions, spanning regions such as the EU, North America, Australia, and Asia — particularly males aged 45 and above. There is limited transparency on how these malicious ads are affecting users outside the EU, especially in the US.
  • SYS01’s masterminds are continuously evolving their strategies, adapting malicious payloads almost in real time to avoid detection. Once antivirus tools have detected and blocked a version of the malware dropper, hackers are already enhancing obfuscation methods and re-launching new ads with updated versions.

Monetization methods

According to the research by Bitdefender Labs, a key goal of SYS01 infostealer is to harvest Facebook credentials, specifically Facebook Business accounts. Once hackers gain access to these accounts, they do not just exploit the personal data; they use the hijacked accounts to launch more malicious ads. By using legitimate Facebook Business accounts, the ads appear more credible and bypass the usual security filters. This allows the attack to spread further, reaching more victims with each new wave of ads.

In addition to using hijacked accounts to fund and promote their campaigns, cybercriminals can also monetize the stolen credentials by selling them on underground marketplaces, with Facebook Business accounts being highly valuable. The stolen personal information, including login data, financial info, and security tokens, can be sold to other malicious actors who may attempt to use it to fuel identity theft crimes and other attacks, turning each new victim into a revenue stream.

The decoy app may launch a dialog box prompting the victim to “update” certain required software components, when it actually downloads the rest of the malicious payload(s)