The information stealer known as SYS01 has been used by threat actors since November 2022 to infect systems of critical government infrastructure employees and manufacturing companies, among others.
The new campaign, spotted by security researchers at Morphisec, lured Facebook business accounts with Google ads and fake Facebook profiles promoting games, adult content and cracked software. The lure then led to a malicious link download.
“The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information,” wrote Morphisec malware researcher Arnold Osipov in Tuesday’s advisory.
“The campaign was first seen in May 2022 and was initially attributed to the Ducktail operation by Zscaler. This attribution was later discovered to be incorrect,” Osipov added.
Mike Parkin, Senior Technical Engineer at Vulcan Cyber, agreed with Osipov’s analysis, adding that Morphisec’s new research shows the threat actor is still active and development of their malware is ongoing.
“They also reference a separate, but apparently related, malware discovered by another research team,” Parkin added. “Taken as a whole, this highlights how threat actors evolve their tools and focus on specific targets over time. And how challenging it can be to firmly attribute specific malware strains to specific groups when both the malware and groups that use it are constantly in flux.”
The attacks observed by Morphisec had the SYS01 stealer delivered in different ways, including DLL side-loading, and via Rust and Python executables.
According to John Anthony Smith, CEO of Conversant Group, the campaign shows how threat actors are increasingly using ad content to lure users into clicking malicious links.
“SYS01, in our opinion, is a continuation of similar techniques used by other groups. Any messaging platform that allows a user to click uninspected links or attachments should be blocked,” the executive explained.
“Ads, social network platforms, chat applications/services and [...] all platforms that allow communication outside of the corporately sanctioned methods should be blocked.”
A similar campaign by the aforementioned Ducktail threat actors was spotted by the WithSecure team and disclosed in November 2022.