SYS01 Campaign Uses Multiple Attack Evasion Tactics; Stayed Invisible for Five Months
A newly discovered campaign is spreading an advanced information stealer, dubbed SYS01 stealer, targeting Facebook business accounts and Ads. It uses a combination of multiple prominent attack evasion tactics to hide its malicious activities, which makes it stand out from typical info-stealers.
SYS01 stealer campaign
Morphisec researchers have been tracking this info-stealer since November 2022. This campaign uses lures and loading tactics similar to another info-stealer named S1deload, however, the final payload delivered is different.
- It targets the employees of organizations dealing in critical government infrastructure, manufacturing, and other industries.
- It aims at stealing sensitive information, including login credentials, cookies, and information about Facebook business accounts and Facebook Ads.
The infection chain
The attack begins with a fake Facebook profile or an advertisement pretending to be an application, adult content, cracked software, game, or movie, luring victims to click on the link to download the advertised content.
- When clicked, the link leads to a loader, usually a legitimate C# application. It is vulnerable to side-loading attacks and comes with malicious DLL files hidden inside it.
- The loader further drops the Inno Setup, a genuine application used for script-driven installations. It decompresses and runs a custom PHP application named SYS01 with multiple encrypted scripts meant to steal and exfiltrate information.
Additional details
Besides the usual info-stealer functionality, the malware exhibits several additional features to evade detection from security radars and gain persistence on the infected machine.
- The malware interacts with the C2 server to deploy further malware payloads. For each run, the malicious script shuffles and fetches a different domain from a pre-defined list, which is used as a C2 server for that victim.
- It further uses commercial encoders Zephir and ionCube extensions to encode and obfuscate the malicious PHP scripts.
- It establishes persistence on the infected system via two scheduled tasks. The first task is run upon log-in, while the second is triggered every two minutes.
The bottom line
By using a combination of multiple tactics, including social engineering, DLL side-loading, commercial PHP encoders to obfuscate code obfuscation, and rotation of C2 server domains, SYS01 stealer was able to stay away from radars for more than five months. This highlights the rapid evolution of evasion tactics used by malware developers. This demands organizations adopt a proactive approach toward security and regularly review and upgrade their strategies to stay current in this ever-evolving threat scenario.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/9cfb_shutterstock_706055950.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2ad9_shutterstock_2130873356.jpg)
