Drawing on extensive proprietary research, Trustwave SpiderLabs believes the threat actors behind the Facebook malvertising infostealer SYS01 are the same group that developed the previously reported Rilide malware.
Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01 – Part 2 lays out evidence tying the latest Rilide (V4) version to SYS01. The report noted the code from the two malware types overlaps in too many areas to be a simple coincidence. Additionally, the team found that some Rilide campaigns prepare the same way for a future SYS01 attack.
SpiderLabs didn’t intend to find a connection between SYS01 and Rilide, but such associations are a common occurrence.
“We weren't really too surprised about the connection, as threat groups tend to utilize the same/similar malware when conducting campaigns,” said Greg Monson, Manager of the SpiderLabs Cyber Threat Intelligence Team.
SpiderLabs has been at the forefront of this investigation for more than a year, posting a detailed investigation of SYS01 in the July 15 blog Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01 after having uncovered Rilide in August 2023. The SYS01 report itself is an offshoot of previous research SpiderLabs conducted into Ov3r_Stealer, an infostealer distributed using Facebook advertising and phishing emails that stole credentials and crypto wallets.
The danger SYS01 and other social media-focused malware campaigns pose is that they rarely stand out as a threat to the average person.
“Most typical users wouldn't think twice about an advertisement they see on a popular social media platform, but users should remain vigilant even when doing normal browsing activity, as it only takes one slip up to have major implications,” said Monson.
On top of this major revelation, Trustwave SpiderLabs conducted a top-to-bottom review of SYS01, detailing updates to the malware's capabilities and the evolution of how a SYS01 campaign is conducted.
The updates include a defensive evasion capability via Windows Management Instrumentation Command-line (WMIC) via a script that employs a strategic approach by retrieval of the system's hardware configuration using WMIC, a fallback command and control server for use if the primary C2 servers become inaccessible, and an updated exfiltration process.
The research also looks at how SYS01 campaigns have developed since they were first uncovered in 2022 and includes an analysis of the command-and-control infrastructure the threat actors use.
The report shows that the SYS01 malware campaign is a complex challenge within the realm of cybersecurity. Recent iterations of this malware underscore the ongoing evolution of threat actors' strategies and the sophistication of their tools to bypass detection.
Monson concluded, “The evolution from its initial versions to the latest release underscores enhancements and serves as a constant reminder that malicious actors will continue to refine their TTPs, even if using common delivery methods for their malware, to have the most effective impact they can on their victims.”
Please download the complete Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01 – Part 2 report for all the details and technical information needed to best understand how the threat actors operate.