Attack campaign uses PHP-based infostealer to target Facebook business accounts

Over the past year, a group of attackers has targeted Facebook business account owners by spreading information stealing malware through malicious Google ads or fake Facebook profiles. 

The infection chain uses DLL sideloading via legitimate apps, as well as self-contained executable files written in various programming languages such as Rust, Python, and PHP.

“We have seen SYS01stealer attacking critical government infrastructure employees, manufacturing companies, and other industries," researchers from security firm Morphisec said in a new report. 

"The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file. The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information."

This campaign has also been reported in the past by researchers from Zscaler, who attributed it to DUCKTAIL, a Vietnam-based hacker group that similarly specialises in infiltrating Facebook business accounts. 

However, the Morphisec researchers believe this attribution is wrong. The DUCKTAIL attacks, which have been going on since 2021, seem to be more targeted and sophisticated with the end goal of abusing the payment methods associated with the hijacked accounts to run ads on the platform.

DLL sideloading variations

The Morphisec researchers have tracked and analysed several of the SYS01stealer attacks going back to May 2022 and have seen different variations develop over time. 

Almost all the attacks, whether distributed from Facebook profile or through malvertizing, involve a ZIP file that is presented as games, movies, cracked applications and even nude pictures. 

This file usually contains an executable that's part of a legitimate application along with a malicious DLL that will be loaded when the executable is run.

This technique is known as DLL sideloading or DLL hijacking and impacts legitimate applications that are configured to load specific DLLs using relative paths. 

This means that instead of specifying an exact location of where a DLL is to be found using an absolute path, the application will let the Windows API search for the DLL, and one of the locations searched will be the current working directory -- the directory from which the executable was opened.

This means that attackers can place such an executable in a folder along with a DLL named like the one the application is known to look for, their rogue DLL will be loaded into memory. 

Since the loading is done by a legitimate executable file that's probably digitally signed and known not to be malicious, some security solutions might not flag the DLL. 

If the user is suspicious, they will likely scan the clean .exe file using a service like VirusTotal and not the accompanying DLL, especially since it has the hidden attribute and might not even appear in File Explorer.

In one attack variation the researchers saw the attackers abused WDSyncService.exe, an executable that's part of WD Sync, an application developed by storage device manufacturer Western Digital. 

In another instance they used ElevatedInstaller.exe, an application by technology firm Garmin. Both applications have a DLL sideloading vulnerability and attempt to load DLLs called WDSync.dll and vcruntime140.dll, respectively.

Infection chain leads to SYS01stealer

The malicious DLL is a malware loader that executes additional hidden executable files or extracts them from .dat or .txt files hidden in the same ZIP archive. 

These files are created with different programming languages such as Rust or Python and are used to set up scheduled tasks, download decoy files and display them to the victim or prompt decoy errors.

The final payload is also downloaded from a command-and-control (CC) server and is always an installer created with the Inno-Setup that deploys a trojan program the researchers have dubbed SYS01stealer. 

This malicious program is written in PHP, which is normally a web scripting language, so it needs the PHP runtime (php.exe) to be executed. The PHP runtime is included in the installer and the command executed is php.exe include.php.

Include.php is the script responsible for deploying scheduled tasks for persistence and loads index.php, which contains the account stealing logic. 

The package also includes a file called rhc.exe which is used to hide the window of started programs and a Rust executable (sometimes named rss.txt) whose goal is to decrypt the encryption key that Chromium-based browsers use to protect sensitive site data, such as session cookies.

The SYS01stealer script contacts a command-and-control server and sends identifying information about the victim. The CC server responds with tasks for the script. One task is named get_ck_all and is used to extract all cookies and login data from all Chromium-based browsers installed on the system.

"The attack additionally checks whether the user has a Facebook account logged in or not. It does this by checking if the cookie hostname contains facebook.com and collects the session specific cookies xs and c_user that store the user ID and session secret respectively," the researchers said.

The extracted information is then used to query Facebook’s graph API and extract all available information about the victim's account, which is then uploaded back to the CC server.

Another implemented task is dlAR, which stands for download and run. As the name implies, the script will download a file from a given URL and execute it on the system using specified parameters. 

The attackers seem to be using this to update the stealer by downloading an updated loader that also uses DLL sideloading, this time by abusing the Western Digital WD Discovery app along with a malicious WDLocal.dll.

Other implemented tasks are called upload, which is used to upload a specified local file back to the CC, and r, which is used to execute a specified command via the Windows command-line prompt and post the result to the server.

"Basic steps to help prevent SYS01stealer include implementing a zero-trust policy and limiting users' rights to download and install programs,'' the Morphisec researchers said. "And SYS01stealer at heart relies on a social engineering campaign, so it’s important to train users about the tricks adversaries use so they know how to spot them."