Starting in November 2022, Morphisec has been tracking an advanced info stealer we have named “SYS01 stealer.” SYS01 stealer uses similar lures and loading techniques to another information stealer recently dubbed S1deload by the Bitdefender group, but the actual payload (stealer) is different.

We have seen SYS01 stealer attacking critical government infrastructure employees, manufacturing companies, and other industries. The campaign's threat actors target Facebook business accounts by using Google ads and fake Facebook profiles that promote games, adult content, cracked software, etc., to lure victims into downloading a malicious file. The attack steals sensitive information, including login data, cookies, and Facebook ad and business account information.

The attack begins by luring a victim to click on a URL from a fake Facebook profile or advertisement to download a ZIP file that pretends to have an application, game, movie, etc. The infection chain is divided into the loader and the Inno-Setup installer that drops the final payload.

How to combat the stealer?

Basic steps to help prevent SYS01 stealer include implementing a zero-trust policy and limiting users’ rights to download and install programs. And SYS01 stealer at heart relies on a social engineering campaign, so it’s important to train users about the tricks adversaries use so they know how to spot them.

But humans are fallible, and limiting device functionality is not always possible when you need to ensure practical business functions. This is why the best protection is all of the above, plus a Defense-in-Depth approach. Security tools like next-generation anti-virus (NGAV), endpoint protection platforms (EPP), and endpoint detection and response (EDR, XDR, and MDR) are necessary but not sufficient to stop stealers like SYS01 stealer.

This is because detection-based tools don’t always flag benign executables used to side-load payloads during delivery and/or execution. And malicious payloads are also sometimes encrypted/packed or obfuscated until loaded into runtime memory, which detection-based tools struggle to effectively scan. The most effective way to secure runtime memory is with Moving Target Defense (MTD) technology. MTD morphs—randomizes—the runtime memory environment to create a dynamic attack surface and leaves decoy traps where targets used to be.

Written by Arnold Osipov, malware researcher at Morphisec.

This is a shortened version of an article reprinted with permission. For the full article, please click here.