How SYSo1 Stealer will get your sensitive Facebook info
Guest author Arnold Osipov, malware research at Morphisec, explains and offers some protection tips
Cybertech
| 13/03/2023
REUTERS/Dado Ruvic/Illustration
Starting in November 2022, Morphisec has been tracking an advanced info stealer we have named “SYS01 stealer.” SYS01 stealer uses similar lures and loading techniques to another information stealer recently dubbed S1deload by the Bitdefender group, but the actual payload (stealer) is different.
We have seen SYS01 stealer attacking critical government infrastructure employees, manufacturing companies, and other industries. The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file. The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information.
The attack begins by luring a victim to click on a URL from a fake Facebook profile or advertisement to download a ZIP file that pretends to have an application, game, movie, etc. The infection chain is divided into two parts: the loader, and the Inno-Setup installer that drops the final payload.
How to combat the stealer?
Basic steps to help prevent SYS01 stealer include implementing a zero-trust policy and limiting users’ rights to download and install programs. And SYS01 stealer at heart relies on a social engineering campaign, so it’s important to train users about the tricks adversaries use so they know how to spot them.
But humans are fallible, and limiting device functionality is not always possible when you need to ensure effective business functions. This is why the best protection is all-of-the-above plus a Defense-in-Depth approach. Security tools like next generation anti-virus (NGAV), endpoint protection platforms (EPP), and endpoint detection and response (EDR, XDR, and MDR) are necessary, but not sufficient to stop stealers like SYS01 stealer.
This is because detection-based tools don’t always flag benign executables used to side-load payloads during delivery and/or execution. And malicious payloads are also sometimes encrypted/packed or obfuscated until loaded into runtime memory, which detection-based tools struggle to effectively scan. The most effective way to secure runtime memory is with Moving Target Defense (MTD) technology. MTD morphs—randomizes—the runtime memory environment to create a dynamic attack surface and leaves decoy traps where targets used to be.
Written by Arnold Osipov, malware research at Morphisec
This is a shortened version of an article reprinted with permission. For the full article please click here
Guest author Arnold Osipov, malware research at Morphisec, explains and offers some protection tips
REUTERS/Dado Ruvic/Illustration
Starting in November 2022, Morphisec has been tracking an advanced info stealer we have named “SYS01 stealer.” SYS01 stealer uses similar lures and loading techniques to another information stealer recently dubbed S1deload by the Bitdefender group, but the actual payload (stealer) is different.
We have seen SYS01 stealer attacking critical government infrastructure employees, manufacturing companies, and other industries. The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file. The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information.
The attack begins by luring a victim to click on a URL from a fake Facebook profile or advertisement to download a ZIP file that pretends to have an application, game, movie, etc. The infection chain is divided into two parts: the loader, and the Inno-Setup installer that drops the final payload.
How to combat the stealer?
Basic steps to help prevent SYS01 stealer include implementing a zero-trust policy and limiting users’ rights to download and install programs. And SYS01 stealer at heart relies on a social engineering campaign, so it’s important to train users about the tricks adversaries use so they know how to spot them.
But humans are fallible, and limiting device functionality is not always possible when you need to ensure effective business functions. This is why the best protection is all-of-the-above plus a Defense-in-Depth approach. Security tools like next generation anti-virus (NGAV), endpoint protection platforms (EPP), and endpoint detection and response (EDR, XDR, and MDR) are necessary, but not sufficient to stop stealers like SYS01 stealer.
This is because detection-based tools don’t always flag benign executables used to side-load payloads during delivery and/or execution. And malicious payloads are also sometimes encrypted/packed or obfuscated until loaded into runtime memory, which detection-based tools struggle to effectively scan. The most effective way to secure runtime memory is with Moving Target Defense (MTD) technology. MTD morphs—randomizes—the runtime memory environment to create a dynamic attack surface and leaves decoy traps where targets used to be.
Written by Arnold Osipov, malware research at Morphisec
This is a shortened version of an article reprinted with permission. For the full article please click here
