SYS01 stealer targets critical government infrastructure

Researchers discovered a new info stealer dubbed SYS01 stealer targeting critical government infrastructure and manufacturing firms.

Cybersecurity researchers from Morphisec discovered a new, advanced information stealer, dubbed SYS01 stealer, that since November 2022 was employed in attacks aimed at critical government infrastructure employees, manufacturing companies, and other sectors.

The experts found similarities between the SYS01 stealer and another info stealing malware, tracked as S1deload, that was discovered by Bitdefender researchers.  

“We have seen SYS01 stealer attacking critical government infrastructure employees, manufacturing companies, and other industries.” reads the analysis published by Morphisec. “The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file. The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information.” 

The experts reported that the campaign was first uncovered in May 2022 that Zscaler researchers linked to the Ducktail operation by Zscaler. The DUCKTAIL campaign was first analyzed by researchers from WithSecure (formerly F-Secure Business) in July 2022, it was targeting individuals and organizations that operate on Facebook’s Business and Ads platform.

The attack chain starts by luring a victim to click on a URL from a fake Facebook profile or advertisement to download a ZIP file that pretends to have a cracked software, game, movie, etc.  

Upon opening the ZIP file, a loader, often in the form of a legitimate C# application, is executed. The application is vulnerable to DLL side-loading, a technique used to load a malicious DLL when the legitimate app is invoked.

The experts observed threat actors abusing the legitimate applications Western Digital’s WDSyncService.exe and Garmin’s ElevatedInstaller.exe to side-load the malicious payload.

The last stage malware is the PHP-based SYS01stealer malware which is able to steal browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.

The end goal is to hijack Facebook Business accounts managed by the victims.

In order to steal Facebook session cookies from the victims, the malware scans the machine for popular browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Firefox. For each of the browsers that it finds, it extracts all the stored cookies, including any Facebook session cookie.

The malware also steals information from the victim’s personal Facebook account, including name, email address, date of birth, and user ID, along with other data such as 2FA codes, user agents, IP address, and geolocation

The malware is also able to upload files from the infected system to the C2 server and execute commands sent by the C&C. The malicious code also supports an update mechanism.

“Basic steps to help prevent SYS01 stealer include implementing a zero-trust policy and limiting users’ rights to download and install programs. And SYS01 stealer at heart relies on a social engineering campaign, so it’s important to train users about the tricks adversaries use so they know how to spot them.” concludes Morphisec that also provides indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SYS01 stealer)