Cybersecurity experts have uncovered a new information stealer called SYS01stealer, which targets critical government infrastructure employees, manufacturing companies, and other sectors.
Israeli cybersecurity firm Morphisec reports that the attack campaign aims to steal sensitive information, such as login data, cookies, and Facebook ad and business account information.
The attackers lure victims into clicking on a URL from a fake Facebook profile or advertisement to download a ZIP archive that purports to be cracked software or adult-themed content.
The ZIP file launches a legitimate C# application that’s vulnerable to DLL side-loading, allowing the attacker to load a malicious dynamic link library (DLL) file alongside the app.
The stealer then harvests Facebook cookies from Chromium-based web browsers and exfiltrates the victim’s Facebook information to a remote server. It can also download and run arbitrary files and upload files from the infected host to the command-and-control (C2) server.
This campaign highlights the use of DLL side-loading, which can trick Windows systems into loading malicious code, enabling threat actors to hijack legitimate and even signed applications to load and execute malicious payloads.