Cybercriminals have launched a new campaign targeting Facebook users. They’re exploiting Meta’s advertising to mimic legitimate services and spread the SYS01 infostealer malware, which can hijack accounts and personal information, Bitdefender warns.
Bitdefender Labs discovered an ongoing attack that impersonates popular brands, such as Netflix, Office 365, CapCut, and others, on a massive scale.
At the center of this campaign is the SYS01 infostealer malware, distributed across multiple Meta platforms.
“The malvertising campaign that has been wreaking havoc on Meta platforms for at least a month is continuously evolving, with new ads appearing daily,” the researchers said in a report.
Cybercriminals place ads that impersonate commonly used software tools. One of the observed ads mimics Netflix and lures users with “free, no ads” streaming. Other ads are disguised as productivity, video or photo editing tools, virtual private networks, instant messaging software, or even video games.
“Some ads might end up running for weeks, targeting mainly senior men.”
These ads typically include or refer to a link to the cloud storage service MediaFire, which allows direct download of malicious software. The payload is packaged as a .zip archive containing an Electron application, which is a cross-platform application built using HTML, CSS, Javascript, and other web technologies). The malicious code is embedded in the app and will drop and execute the malware.
“In many cases, the malware runs in the background while a decoy app – often mimicking the ad-promoted software – appears to function normally, making it difficult for the victim to realize they’ve been compromised,” Bitdefender noted.
The complete infection chain includes multiple steps to hide from security tools.
The goal of the SYS01 infostealer appears to be gaining intel about Facebook accounts, especially business pages. The malware can dynamically update the command and control servers and obtain new commands from them in real-time. The information gathered from the victims can be used for other malicious purposes or sold on the dark web.
Bitdefender discovered nearly a hundred malicious domains utilized by the malvertising campaign.
“They use advanced evasion tactics to keep the infostealer hidden from cybersecurity tools. The malware employs sandbox detection,” Bitdefender researchers said.
“When cybersecurity firms begin to flag and block a specific version of the loader, the hackers respond swiftly by updating the code. They then push out new ads with updated malware that evades the latest security measures.”
The hacked Facebook accounts feed the campaign by providing resources to launch even more ads. Cybercriminals use compromised Facebook Business accounts to scale malicious ads without arousing suspicion.
First detected in September 2024, the campaign already has a global reach, reaching millions of potential victims in the EU, North America, Australia, and Asia. Males aged 45 and above appear to be a prime target.
Your email address will not be published. Required fields are markedmarked