The Rising Threat of SYS01 Infostealer: Navigating Facebook’s Evil Mad Men
Infostealer attacks are becoming an increasingly serious threat. In recent years, infostealer malware has increasingly become the weapon of choice for cybercriminals as a low-hanging fruit tactic to carry out high-impact data breaches, due to their simplicity, wide availability and low cost.
The Trustwave SpiderLabs Threat Intelligence team recently discovered a new version of the SYS01 infostealer during our ongoing investigation into malicious activity on Facebook. With over 2.9 billion monthly active users and 200 million business accounts on Facebook, this info stealer poses a significant risk.
In this campaign, hackers use malicious ads to steal account information to take over business and personal Facebook pages, and access users’ login information, history, and cookies in web browsers. The information captured may include stored credit card information, passwords for accounts on other sites, and more. This can then lead to further ripple effects, including business disruption and financial losses.
Global Director of the SpiderLabs Threat Hunt team, Trustwave.
Extensive targeting of Facebook users
SYS01 represents a new wave of infostealer malware with more advanced capabilities and evasion techniques, making it a formidable threat.
Since its emergence in March 2023, SYS01 has evolved dramatically. Initially distributed through Facebook ads related to adult content and gaming, this new version, active since September 2023, now includes ads for AI tools and Windows themes. This evolution increases SYS01’s appearance of legitimacy and expands its reach to target the general population, making it more challenging for users to identify and avoid malicious ads.
As this malware continues to evolve and target a larger group of potential victims, organizations should implement filtering systems to analyze advertising content for signs of malware or malicious intent to help mitigate risk. It is also critical that employees improve their own ability to recognize spoofed ads and maintain good cybersecurity hygiene by staying up to date on the latest trends and tools used by cybercriminals.
The adaptive nature of SYS01
SYS01 can manipulate antivirus software configurations to avoid detection and persist on infected systems for extended periods. This makes it much more challenging for traditional security solutions to detect the malware. With the ability to identify virtualized environments used by security researchers for malware analysis, SYS01 can further change its behavior or halt execution to avoid detection by security tools.
Not only can SYS01 manipulate security tools to evade detection, but its adaptability allows it to continue to change and adapt to increase effectiveness against any malicious advertising campaign. Using calculated A/B testing, SYS01 adjusts and refines its ads to maximize engagement and click-through rates and iterates on the more successful ads.
Given the adaptive nature of SYS01, organizations should ensure they have host-based anti-malware tools in place to help detect and protect against malicious exploits. Security and IT teams can go a step further by keeping browsers and plugins up to date and configuring browsers and tasks to regularly delete persistent cookies to reduce the risk of sensitive information being stolen through session cookies. When prevention is not possible, audit controls can also help identify potential compromises.
One info stealer after another
As cybercriminals continue to innovate with their use of infostealers, it is critical that they remain vigilant and implement robust security measures.
SYS01 is just one of many infostealer threats. Many of the tactics bear striking similarities to other infostealers, such as Rilide. Rilide disguises itself as a legitimate Google Drive extension and targets Chromium-based browsers – such as Google Chrome, Microsoft Edge, Brave and Opera – using Google Ads to launch attacks that monitor browsing history and take screenshots before running malicious scripts are injected to withdraw funds from cryptocurrency exchanges.
To protect against such threats, security leaders must enforce the use of multi-factor authentication (MFA) in their organizations. This adds an extra layer of defense, making unauthorized access more difficult if and when users accidentally click on malicious ads. Proactive monitoring with tools like endpoint detection and response, in addition to MFA, improves security by detecting anomalies and aggregating data across an organization’s IT infrastructure.
A call for proactive defense
SYS01’s evolution and advanced capabilities underscore the growing threat from infostealers, especially due to its demonstrated ability to evade detection and continually evolve. This flexibility underscores the need for cybersecurity professionals to stay ahead of the curve to effectively anticipate and mitigate future threats. By investing in robust defenses, monitoring solutions and proactive threat hunting, organizations can better protect themselves against the increasing risks posed by infostealers and protect their digital assets from potential damage.
We’ve listed the best identity management software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here: