In a digital world where advertising is king, businesses and organisations are not the only ones using this powerful tool. Cybercriminals have a knack for exploiting the engine that powers online platforms by corrupting the vast reach of advertising to distribute malware en masse.

While legitimate businesses rely on ads to reach new audiences, hackers exploit these platforms to trick users into downloading harmful software. Malicious ads often seem to promote legitimate software, streaming services, or products, making it difficult for users to distinguish between safe and dangerous content.

Bitdefender Labs has been tracking malvertising for years, analysing how cybercriminals use these tactics to target people across the globe. Our latest research focuses on a growing campaign leveraging Meta’s advertising platform to spread SYS01 InfoStealer malware.

This ongoing attack impersonates popular brands to distribute malware that steals personal data, The scale and sophistication of this malvertising campaign highlight how far cybercriminals have come in weaponizing ads for their own gain.

Key Findings

• Ongoing Attack: The malvertising campaign that has been wreaking havoc on Meta platforms for at least a month is continuously evolving, with new ads appearing daily. The SYS01 InfoStealer malware has become a central weapon in this campaign, effectively targeting victims across multiple platforms.
• ElectronJs Delivery and Broadened Impersonation: Compared to previous malvertising campaigns, the SYS01 malware is now delivered through an ElectronJs application. To maximise reach, threat actors have begun impersonating a wide range of well-known software tools, increasing the likelihood of targeting a broader user base.
• Extensive Use of Malicious Domains: The malvertising campaign leverages nearly a hundred malicious domains, utilised not only for distributing the malware but also for live command and control (C2) operations, allowing threat actors to manage the attack in real time.
• Mass Brand Impersonation: The hackers behind the campaign use trusted brands to expand their reach. Bitdefender Labs researchers noticed hundreds of ads impersonating popular video editing software like CapCut, productivity tools like Office 365, video streaming services such as Netflix, and even video games are being used to entice users. The widespread impersonation increases the likelihood of drawing in a broad audience, making the campaign highly effective.
• Global Reach: The scope of this attack is global, with potential victims in the millions, spanning regions such as the EU, North America, Australia, and Asia – particularly males aged 45 and above. While Meta provides some data on ad impact within the EU, there is limited transparency on how these malicious ads are affecting users outside this region, especially in the US.
• Dynamic Evasion Tactics: Threat actors continuously evolve their strategies, adapting malicious payloads almost in real time to avoid detection. Once antivirus companies detect and block a version of the malware dropper, hackers enhance obfuscation methods and re-launch new ads with updated versions.

The Malicious Advertising Campaign

While malware distributed through social media ads is not an innovation in the criminal cyberspace, a campaign that started in September stood out through the malicious samples that were distributed and because of the generic impersonation approach used by the cybercriminals. Bitdefender has previously analysed infostealers that were distributed through ads that impersonated AI software or that promised ‘provocative’ content.

In the current campaign, the threat actors impersonate a multitude of software tools related to productivity, video or photo editing (CapCut, Canva, Adobe Photoshop), virtual private networks (Express VPN, VPN Plus), movie streaming services such as Netflix, instant messaging software such as Telegram, and even video games.

In terms of what video games were impersonated, we have observed two approaches. The first was promoting Super Mario Bros Wonder advertisements, directly offering malicious samples. The second approach was reusing malicious domains, that impersonated a generic video game download platform (containing well known titles or recent hits like Black Myth: Wukong). The threat actors also changed the download mechanism newer samples that were similar to the ones obtained from previous ads.

Considering the multitude of impersonated entities, the number of distributed ads, which is in the thousands, and the reach of particular ads of tens of thousands of people, it would be safe to say that this malicious advertising infrastructure could reach millions of people. Even if most of the audience does not interact with the advertisements or does not download the malicious samples, such a large potential victim pool virtually guarantees success.

The ads typically point to a MediaFire link or refer to one that allows the direct download of malicious software. The samples are obtained in the form of a .zip archive which contains an Electron application. While the structure of the extracted archive might differ, depending on the sample, the infection method remains the same: the JavaScript code embedded in the Electron app will end up dropping and executing malicious software.

In many cases, the malware runs in the background while a decoy app – often mimicking the ad-promoted software – appears to function normally, making it difficult for the victim to realise they’ve been compromised.

It is already becoming obvious that a core functionality of the infostealer is to gather information about potential Facebook pages that could be used in the malicious process or sold on the dark web.

Evasion Tactics

The adaptability of the cybercriminals behind these attacks makes the SYS01 InfoStealer campaign especially dangerous. They use advanced evasion tactics to keep the infostealer hidden from cybersecurity tools. The malware employs sandbox detection, halting its operations if it detects it’s being run in a controlled environment, often used by analysts to examine malware. This allows it to remain undetected in many cases. In this specific case, anti-sandbox checks are made before the execution of every main component: the JavaScript Unpacker, the PHP script that ensures persistence and the PHP InfoStealer.

When cybersecurity firms begin to flag and block a specific version of the loader, the hackers respond swiftly by updating the code. They then push out new ads with updated malware that evades the latest security measures.

Cybercriminals’ Business Model

The success of this campaign is driven by a highly structured business model that makes this malicious operation self-sustaining:

• Hijacking Facebook Accounts to Power the Attack: A key goal of SYS01InfoStealer is to harvest Facebook credentials, specifically Facebook Business accounts. Once hackers gain access to these accounts, they don’t just exploit the personal data; they use the hijacked accounts to launch more malicious ads. With access to Facebook’s advertising tools through compromised accounts, cybercriminals can create new malicious ads at scale without arousing suspicion. By using legitimate Facebook Business accounts, the ads appear more credible and bypass the usual security filters. This allows the attack to spread further, reaching more victims with each new wave of ads.
• Scaling the Attack: The hijacked Facebook accounts serve as a foundation for scaling up the entire operation. Each compromised account can be repurposed to promote additional malicious ads, amplifying the reach of the campaign without the hackers needing to create new Facebook accounts themselves. This is a cost-effective and time-efficient way to consistently drive traffic to malicious downloads. Being in the malvertising business isn’t just cost-effective – it also allows threat actors to stay under the radar and not rely on traditional or more obvious methods to compromise accounts, such as email phishing campaigns.
• Revenue and Data Theft: In addition to using hijacked accounts to fund and promote their campaigns, cybercriminals can also monetise the stolen credentials by selling them on underground marketplaces, with Facebook Business accounts being highly valuable. The stolen personal information, including login data, financial info, and security tokens, can be sold to other malicious actors who may attempt to use it to fuel identity theft crimes and other attacks, turning each new victim into a revenue stream.

How to Protect Yourself

1. Be cautious about clicking on ads that offer free downloads or seem too good to be true, even on trusted platforms like Meta. Always verify the source before downloading any software.
2. Always download software directly from the official website, not through third-party platforms or file-sharing services.
3. Install trustworthy security software and keep it up to date. Opt for security solutions that can detect evolving threats like SYS01.
4. Make sure 2FA is enabled on your Facebook account, particularly if you use it for business purposes. This will add an extra layer of security in case your credentials are compromised.
5. Regularly check your business accounts for unauthorised access or suspicious activity. If you see unusual behaviour, report it immediately to Facebook and change your login credentials.

Read the full report here.