Researchers at cybersecurity firm Bitdefender Labs have now revealed that cybercriminals are targeting Facebook users with a new campaign leveraging Meta’s advertising network to spread the SYS01 infostealer malware.
Bifender Lab researchers Ionut Alexandru, BALTARIU Nicolae POSTOLACHI Alina BÎZGĂ said in the latest report that attackers are impersonating popular brands such as Netflix, Office 365 and CapCut to trick users into downloading malware.
Targeting primarily elderly male users, the campaign seeks to hijack accounts and collect personal information from unsuspecting victims.
Imitate popular brands
Bitdefender’s report highlights that hackers have been using Facebook ads to mimic legitimate software from popular brands.
Fake ads promoted Netflix with enticing claims of “free, ad-free” streaming, as well as productivity and editing tools, virtual private networks (VPNs), messaging apps, and even video games.
“These ads direct users to MediaFire, a cloud storage service, where they can directly download malicious ZIP files.
“The file contains an Electron application embedded with SYS01 malware, which runs in the background mimicking the appearance of the advertised app,” the report said.
Malware and how it works
The report explained that the SYS01 malware was designed to evade detection by security tools using several tactics, such as sandbox detection and real-time updates from command and control servers.
- Bitdefender researchers added that once cybersecurity companies start blocking certain versions of malware loaders, hackers quickly modify the code to push out new ads that evade the latest security updates.
- This allows cybercriminals to hide SYS01 infostealer in cybersecurity tools, thereby extending the life of malware on the Meta platform.
- This campaign primarily focuses on business pages and aims to gain access to users’ Facebook accounts.
- Once these accounts are compromised, cybercriminals can expand their reach without immediately arousing suspicion, providing a platform from which to run additional malicious advertisements.
- Bitdefender has identified nearly 100 domains linked to this campaign, which has spread globally, affecting potential victims across Europe, North America, Australia, and Asia.
What you need to know
- First discovered in September 2024, the malware has already affected millions of Facebook users around the world, particularly older men aged 45 and older.
- Bitdefender warns that the SYS01 malware campaign continues to evolve, with new ads appearing every day to reach more users.
- This new threat has once again highlighted the importance of vigilance when clicking on ads or downloading software, even on seemingly legitimate platforms.
- As cybersecurity companies continue to race to keep up with ever-evolving tactics, Facebook users should be wary of unexpected offers or ads, especially those promising free services from popular brands.