A new malvertising campaign has been detected, using hijacked Facebook accounts and Meta’s ad platform to distribute a malware variant called SYS01stealer.
Researchers found that the attackers use trusted brands in their ads to gain reach, operating through nearly a hundred malicious domains for both malware distribution and live command-and-control (C2) operations, which lets them control the campaign in real-time.
Initially documented by researchers in early 2023, SYS01stealer targets Facebook business accounts through Google ads and fake Facebook profiles promoting games and cracked software. Similar to other credential-stealing malware, SYS01stealer’s primary function is to collect login details, browsing history, and cookies.
However, it goes further, seeking Facebook ad and business account data, which is then used to spread more malicious ads, effectively amplifying the campaign’s reach without needing new Facebook accounts.
The malware spreads mainly through malvertising on platforms like Facebook, YouTube, and LinkedIn, often through ads for Windows themes, games, AI software, photo editors, VPNs, and streaming services.
A large portion of these ads are designed to target men over 45. Users who click these ads are redirected to deceptive sites that mimic legitimate applications, hosted on platforms like Google Sites or True Hosting. These sites serve as gateways to download malicious payloads, beginning with a ZIP file that contains both benign and malicious elements. The benign executable sideloads a harmful DLL that initiates multi-stage malware processes.
The SYS01stealer malware is crafted to evade detection. Upon downloading, it executes PowerShell commands to prevent running in sandboxed environments and modifies Microsoft Defender Antivirus settings to avoid detection.
The latest version of this malware embeds an Electron app within ZIP archives, using a JavaScript file to trigger the PowerShell commands for sandbox checks and to execute the infostealer. The malware achieves persistence by creating scheduled tasks on infected systems.
Researchers noted the adaptability of the attackers behind SYS01stealer. The campaign consistently updates its code, bypassing new security blocks as cybersecurity experts work to counter the malware’s spread. By rapidly evolving the malware, the attackers can evade detection and continue to run malicious ads, further propagating the infection.
To counter this threat, users should be cautious about clicking ads, particularly those related to popular software, games, or streaming services. Installing ad-blocking tools and browser security extensions can reduce exposure to malicious ads.