Cybersecurity researchers have uncovered a sophisticated malvertising campaign leveraging Meta’s advertising platform and hijacked Facebook accounts to spread malware known as SYS01Stealer. The campaign, targeting a broad range of Facebook users, has been active for at least a month, cybersecurity firm Bitdefender said in its new report.
Originally documented by Morphisec in early 2023, SYS01Stealer was first observed targeting Facebook business accounts through malicious Google ads and fake Facebook profiles. Early campaigns promoted games, adult content, and cracked software to lure in victims. The malware’s primary objectives include harvesting Facebook credentials, especially those linked to business accounts, which provide access to a wealth of valuable information.
“The hijacked Facebook accounts serve as a foundation for scaling up the entire operation,” Bitdefender explained. “Each compromised account can be repurposed to promote additional malicious ads, amplifying the reach of the campaign without the hackers needing to create new Facebook accounts themselves.”
In this campaign, threat actors use Meta’s platform to promote fake advertisements for popular software tools, including productivity applications, editing software (like Capcut, Canva, and Adobe Photoshop), VPNs, and entertainment platforms like Netflix and Telegram.
The attackers behind SYS01Stealer have set up an extensive command-and-control (C2) infrastructure, spanning nearly a hundred malicious domains, allowing operators to adjust tactics on the fly.
“In addition to using hijacked accounts to fund and promote their campaigns, cybercriminals can also monetize the stolen credentials by selling them on underground marketplaces, with Facebook Business accounts being highly valuable. The stolen personal information, including login data, financial info, and security tokens, can be sold to other malicious actors who may attempt to use it to fuel identity theft crimes and other attacks, turning each new victim into a revenue stream,” Bitdefender said.