A new Facebook malvertising campaign has been discovered that tricks victims searching for Windows themes and other software into downloading information-stealing malware.
According to the report According to cybersecurity researchers Trustwave, threat actors have abused Facebook’s advertising network to create malicious ads for things like Windows themes, top games, AI software and more. The campaign, which also uses LinkedIn and YouTube, has been active since at least September 2023 and is still active as of this writing.
The victims do not appear to belong to a specific group. Instead, the threat actors appear to be casting a wide net, trying to infect as many people as possible. The infostealer used in this campaign is called SYS01 stealer and was first spotted by cybersecurity professionals Morphisec in mid-2022.
Stealing Facebook Business Accounts
As far as infostealers go, SYS01 stealer is not that different. It grabs sensitive information such as login credentials, cookies, and similar information from the target endpoints. It also hunts for Facebook ad and business account information, which it then uses to create additional malicious ads and spread the malware further.
However, since its first detection in 2022, the infostealer has evolved to better evade detection and improve targeting. That said, the latest variant can detect if it is being reverse-engineered in virtual environments. The “construction of C2 domains, ad tagging, and hosting on Telegram are all new and adapted tactics,” the researchers added, highlighting the malware’s evolution.
Facebook, LinkedIn and YouTube are massive social networks used by billions of people every day. As such, they will always be a target for cybercriminals looking to deploy malware and ultimately profit. Trustwave believes that malvertising threats are so ubiquitous that they “may never go away,” suggesting that consumers should be extra cautious when looking for software, especially commercial products.
