Summary:
A sophisticated malvertising campaign leveraging Meta's advertising platform has been actively targeting users for at least a month. The campaign primarily focused on distributing the SYS01 InfoStealer malware, has evolved to distribute the malware via an ElectronJS application, significantly broadening its reach. The SYS01infostealer was first documented in early 2023. These attacks are aggressively impersonating popular software and services to entice victims into clicking malicious ads. Once clicked, users are redirected to deceptive websites hosting the malware. These attacks often run a decoy app mimicking the promoted software in the malicious ad while executing the malware in the background. SYS01 infostealer is designed to steal sensitive information like login credentials, browsing history, and Facebook business account data. The adversary can utilize this Facebook account data to hijack Facebook accounts and utilize their credibility to further propagate the malware. The campaign's global scope characterized by a robust malvertising infrastructure that encompasses a multitude of ads masquerading as commonly used software that targets millions, underscores its significant threat potential.

Security Officer Comments:
The attackers' ability to leverage legitimate platforms like Meta to distribute malicious payloads highlights the importance of skepticism when encountering online advertisements. The use of advanced techniques like ElectronJS application development and sandbox evasion underscores the skill of the threat actors. To mitigate the risks associated with this campaign, users should exercise caution when clicking on online ads, especially those promoting software or services from unfamiliar sources. However, this can be especially difficult when victims are targeted with malicious ads published by these hijacked Facebook accounts. The continuous evolution of the malware and the rapid adaptation of social-engineering lures and TTPs highlight the need for a heightened focus on software controls and social media usage policies.

Suggested Corrections:
A truncated list of IOCs for this campaign is published here.

• Scrutinize Ads: Be cautious about clicking on ads that offer free downloads or seem too good to be true, even on trusted platforms like Meta. Always verify the source before downloading any software.
• Use Official Sources Only: Always download software directly from the official website, not through third-party platforms or file-sharing services.
• Install Security Software and Keep It Updated: Install trustworthy security software and keep it up to date. Opt for security solutions that can detect evolving threats like SYS01.
• Enable Two-Factor Authentication (2FA): Make sure 2FA is enabled on your Facebook account, particularly if you use it for business purposes. This will add an extra layer of security in case your credentials are compromised.
• Monitor Your Facebook Business Accounts: Regularly check your business accounts for unauthorized access or suspicious activity. If you see unusual behavior, report it immediately to Facebook and change your login credentials.

Link(s):
https://thehackernews.com/2024/10/malvertising-campaign-hijacks-facebook.html

https://www.bitdefender.com/en-us/blog/labs/unmasking-the-sys01-infostealer-threat-bitdefender-labs-tracks-global-malvertising-campaign-targeting-meta-business-pages/