Cybersecurity researchers discovered an ongoing malvertising campaign that exploited Meta’s advertising platform to take over Facebook accounts and distribute information known as SYS01stealer.
“The hackers behind this campaign are leveraging trusted brands to expand their reach,” Bitdefender Labs said in a report shared with The Hacker News.
“Nearly 100 malicious domains are utilized in malvertising campaigns, used not only for malware distribution but also for live command and control (C2) operations, allowing attackers to manage attacks in real time. It will be.”
SYS01stealer was first documented by Morphisec in early 2023 and describes an attack campaign that targeted Facebook business accounts using Google Ads and fake Facebook profiles promoting games, adult content, and cracked software. I did.
Like other stealing malware, the end goal is to steal login credentials, browsing history, and cookies. However, it also focuses on capturing Facebook ads and business account data, which is used to further spread the malware through fake ads.
“The hijacked Facebook accounts serve as the basis for expanding the entire operation,” Bitdefender noted. “Each compromised account can be reused to promote additional malicious ads, increasing the reach of the campaign, without the hacker having to create a new Facebook account themselves.”
The main way SYS01stealer is distributed is through malvertising across platforms such as Facebook, YouTube, and LinkedIn, with ads promoting Windows themes, games, AI software, photo editors, VPNs, and movie streaming services. . The majority of Facebook ads are designed to target men over the age of 45.
“This effectively tricks victims into clicking on these ads and stealing their browser data,” Trustwave said in a July 2024 analysis of the malware.
“If the data contains Facebook-related information, not only can your browser data be stolen, but your Facebook account could be controlled by an attacker, further spreading malvertisement, and continuing the cycle. .”
Users who end up interacting with the ad are redirected to a malicious site hosted on Google Sites or True Hosting, which impersonates a legitimate brand or application and initiates an infection. This attack is also known to use hijacked Facebook accounts to run fraudulent ads.
The initial payload downloaded from these sites is a ZIP archive containing a benign executable file, which is used to sideload a malicious DLL responsible for decoding and launching a multi-stage process. will be done.
This includes running PowerShell commands to prevent malware from running in a sandboxed environment, modifying Microsoft Defender Antivirus settings to exclude specific paths to avoid detection, and installing a PHP-based stealer. Contains setting up the operating environment to run it.
The latest attack chain observed by a Romanian cybersecurity firm involves embedding the Electron application in a ZIP archive, suggesting that attackers are continually evolving their strategies.
There is also a JavaScript file (‘main.js’) within the Atom Shell Archive (ASAR) that executes PowerShell commands, performs sandbox checks, and runs stealers. Persistence on the host is achieved by setting up scheduled tasks.
“The adaptability of the cybercriminals behind these attacks makes the SYS01 information theft campaign particularly dangerous,” Bitdefender said. “This malware employs sandbox detection, which stops working if it is detected running in a controlled environment. This is often used by analysts to inspect malware. This often allows them to remain undetected.
“Once cybersecurity companies begin flagging and blocking specific versions of the loader, hackers quickly respond by updating the code. They then use updated malware to circumvent the latest security measures. Push out new ads.”
Exploiting Eventbrite through phishing campaigns
This development comes as details of a phishing campaign by Perception Point that exploited the Eventbrite event and ticketing platform to steal financial and personal information.
The email, delivered via noreply@events.eventbrite(.)com, asks users to click a link to pay an outstanding bill or confirm their package shipping address, then provide their login information and You will be asked to enter your credit card details.
The attack itself is possible due to the fact that the attacker signs up for a legitimate account on the service, exploits the reputation of a known brand to create a fake event, and embeds a phishing link in the event description or within the attachment. It will be. An invitation to the event is then sent to the target.
“Because emails are sent through Eventbrite’s verified domains and IP addresses, they have a better chance of passing through email filters and reaching recipients’ inboxes,” PerceptionPoint said.
“Eventbrite’s sender domain also increases the likelihood that recipients will open the email and access the phishing link. By exploiting Eventbrite’s platform, attackers can evade detection and achieve higher delivery rates and opens. You can secure the rate.”
Butchering different types of pigs
Threat hunters are also warning of an increase in crypto scams that impersonate various organizations and target users with fake job openings, claiming they can earn money working from home. The spam messages also claim to represent legitimate brands such as Spotify, TikTok, and Temu.
This activity begins through social media, SMS, and messaging apps such as WhatsApp and Telegram. Users who agree to work on a job are then directed by the scammer to register on a malicious website using a referral code, and are then asked to submit fake reviews, order products, or listen to specific songs on Spotify. You will be asked to complete various tasks such as playing, booking, etc. Hotel.
The scam unfolds when a victim’s fake commission account balance suddenly becomes negative and they are prompted to replenish it by investing their own cryptocurrencies in order to earn bonuses from tasks.
“As long as fraudsters believe that victims will continue to pay into the system, this cycle will continue,” Proofpoint researchers said. “If they suspect the victim has gotten smart about the scam, they will lock their account and ghost them.”
We have high confidence that this illegal scheme is the work of a threat actor who also practices pig butchering, also known as romance-based crypto investment fraud.
“Compared to butchering a pig, employment fraud offers smaller but more frequent returns for fraudsters,” Proofpoint said. “This activity capitalizes on popular brand recognition instead of trust scams based on long romances.”
Did you find this article interesting? Follow us Twitter ○ You can read more exclusive content from us on LinkedIn.
Source link
