Information theft attacks are becoming an increasingly serious threat. In recent years, data-stealing malware has increasingly become the weapon of choice for cybercriminals as an easy tactic to carry out high-impact data breaches due to its simplicity, high availability, and low cost.
The Trustwave SpiderLabs Threat Intelligence team recently discovered a new version of the SYS01 information stealer during our ongoing investigation into malicious activity on Facebook. With more than 2.9 billion monthly active users and 200 million business accounts on Facebook, this information thief poses a significant risk.
In this campaign, hackers use malicious ads to steal account credentials and take over Facebook personal and business pages, as well as gain access to users' credentials, history, and cookies on web browsers. Information captured may include saved credit card information, account passwords from other sites, and more. This can lead to further knock-on effects, including disruption to business operations and financial losses.
Global Director, SpiderLabs Threat Hunting Team, Trustwave.
Expanded targeting of Facebook users
SYS01 represents a new wave of information-stealing malware with more sophisticated capabilities and evasion techniques, making it a formidable threat.
Since its appearance in March 2023, SYS01 has evolved dramatically. Initially distributed through Facebook ads related to adult content and games, this new version, which has been operational since September 2023, now includes ads for artificial intelligence tools and Windows themes. This evolution improves SYS01's appearance of legitimacy and expands its reach to target the general population, making it more difficult for users to identify and avoid malicious ads.
As this malware continues to evolve and target a larger group of potential victims, organizations should implement filtering systems to analyze ad content for signs of malware or malicious intent to help mitigate risks. It is also crucial that employees improve their own ability to recognize counterfeit ads and maintain good cybersecurity hygiene by staying informed about the latest trends and tools used by cybercriminals.
The adaptive nature of SYS01
SYS01 can manipulate antivirus software settings to avoid detection and maintain a presence on infected systems for extended periods. This makes it much more difficult for traditional security solutions to detect malware. With the ability to identify virtualized environments used by security researchers for malware analysis, SYS01 can further alter its behavior or stop execution to prevent security tools from discovering it.
Not only can SYS01 manipulate security tools to evade detection, but its adaptability also allows it to continue to transform and adjust to increase effectiveness with each malicious advertising campaign. Leveraging calculated A/B testing, SYS01 tailors and refines your ads to maximize engagement and click-through rates and repeats the most successful ads.
Given the adaptive nature of SYS01, organizations should ensure they have host-based antimalware tools in place to help detect and protect against malicious attacks. Security and IT teams can go a step further by keeping browsers and plugins up-to-date and configuring browsers and tasks to periodically delete persistent cookies and reduce the risk of sensitive information being stolen by session cookies. When prevention is not possible, audit controls can also help detect potential compromises.
One information thief after another
As cybercriminals continue to innovate with the use of information stealers, it is essential to remain vigilant and implement strong security measures.
SYS01 is just one of many information theft threats. Many of their tactics bear striking similarities to those of other information thieves, such as Rilide. Disguising itself as a legitimate Google Drive extension, Rilide targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera, leveraging Google Ads to carry out attacks that monitor browsing history and capture screenshots before injecting malicious scripts to withdraw funds. of cryptocurrency exchanges.
To protect against such threats, security leaders must enforce the use of multi-factor authentication (MFA) across their organizations. This adds an extra layer of defense, making unauthorized access more difficult if users inadvertently click on malicious ads. Proactive monitoring with tools such as endpoint detection and response, along with MFA, improves security by detecting anomalies and aggregating data across an organization's IT infrastructure.
A call for proactive defense
The evolution and sophisticated capabilities of SYS01 underscore the growing threat posed by information thieves, particularly in its proven ability to evade detection and continually evolve. This flexibility highlights the need for cybersecurity professionals to stay ahead of the curve to effectively anticipate and mitigate future threats. By investing in robust defenses, monitoring solutions and proactive threat hunting, organizations can better protect themselves against the growing risks of information thieves and protect their digital assets from potential damage.
We have listed the best identity management software.