Summary:
A sophisticated malvertising campaign leveraging Meta's advertising platform has been actively targeting users for at least a month. The campaign primarily focused on distributing the SYS01 InfoStealer malware, has evolved to distribute the malware via an ElectronJS application, significantly broadening its reach. The SYS01infostealer was first documented in early 2023. These attacks are aggressively impersonating popular software and services to entice victims into clicking malicious ads. Once clicked, users are redirected to deceptive websites hosting the malware. These attacks often run a decoy app mimicking the promoted software in the malicious ad while executing the malware in the background. SYS01 infostealer is designed to steal sensitive information like login credentials, browsing history, and Facebook business account data. The adversary can utilize this Facebook account data to hijack Facebook accounts and utilize their credibility to further propagate the malware. The campaign's global scope characterized by a robust malvertising infrastructure that encompasses a multitude of ads masquerading as commonly used software that targets millions, underscores its significant threat potential.

Security Officer Comments:
The attackers' ability to leverage legitimate platforms like Meta to distribute malicious payloads highlights the importance of skepticism when encountering online advertisements. The use of advanced techniques like ElectronJS application development and sandbox evasion underscores the skill of the threat actors. To mitigate the risks associated with this campaign, users should exercise caution when clicking on online ads, especially those promoting software or services from unfamiliar sources. However, this can be especially difficult when victims are targeted with malicious ads published by these hijacked Facebook accounts. The continuous evolution of the malware and the rapid adaptation of social-engineering lures and TTPs highlight the need for a heightened focus on software controls and social media usage policies.

Suggested Corrections:
A truncated list of IOCs for this campaign is published here.