This month focuses on a malvertising Campaign hijacking Facebook Accounts to Spread SYS01 stealer Malware, the Black Basta ransomware attacks posing as IT support on Microsoft Teams to breach networks, a malware campaign using File Hosting Services in Business Email Compromise attacks, and the over 200 malicious apps found on Google Play with over 8 million downloads.

Malvertising Campaign Hijacking Facebook Accounts to Spread SY501 Stealer Malware

A recently discovered malvertising campaign exploits Meta’s advertising platform alongside hijacked Facebook accounts to distribute malware called SYS01stealer.

Summary

• Hackers use trusted brands and around a hundred malicious domains to distribute malware and perform real-time control of the attacks via command and control (C2) operations.
• SYS01stealer, documented since early 2023, targets Facebook business accounts using fake ads, often promoting games, adult content, and cracked software.
• The malware’s primary goal is to steal login credentials, browsing data, and Facebook ad account information to scale up attacks through further fake ads.
• Hijacked Facebook accounts are repurposed to publish additional malicious ads, broadening the campaign’s reach without creating new accounts.
• SYS01stealer is distributed via ads on platforms like Facebook, YouTube, and LinkedIn, promoting various products that lure users to download malware.
• Victims who click on ads are redirected to fake sites that host malware, which is delivered in ZIP archives and uses a benign executable to load the malicious DLL.
• The malware employs PowerShell commands to disable Microsoft Defender, avoid sandbox detection, and set up a PHP-based stealer, evolving tactics to bypass security measures.
• Cybercriminals update SYS01stealer’s loader code to evade detection, adapting swiftly to security blocks and maintaining persistence on compromised devices through scheduled tasks.
• Read more about the campaign here.

Black Basta ransomware attacks posing as IT support on Microsoft Teams to breach networks

A new campaign has been observed using Black Basta Ransomware to exploit organizations’ networks using vulnerabilities, malware botnets, and social engineering attacks.

Summary

• May was when the attack was first noticed, via a social engineering campaign by Black Basta that spammed employee inboxes with non-malicious emails, like newsletters and confirmations, to overwhelm them.
• The attackers then posed as the company’s IT help desk over the phone, offering to resolve the spam problem and tricking employees into granting remote access via AnyDesk or Windows Quick Assist.
• Once connected, attackers deployed tools like ScreenConnect, NetSupport Manager, and Cobalt Strike to maintain persistent access on corporate devices.
• With initial access, Black Basta affiliates moved laterally across the network, escalating privileges, stealing data, and deploying ransomware.
• In October, security researchers observed Black Basta affiliates using Microsoft Teams for similar social engineering, contacting employees as external users impersonating IT help desk support.
• The attackers used accounts with help desk-like names (e.g., securityadminhelper.onmicrosoft.com) and added employees to “OneOnOne” chats with deceptive display names to appear legitimate.
• They also shared QR codes in Teams chats, which directed to domains like qr-s1[.]com, though the purpose of these QR codes remains unclear.
• The CcHUB helpdesk recommends restricting external communication on Microsoft Teams, allowing only trusted domains, and enabling logging, especially for the ChatCreated event, to detect suspicious activity.
• Read more about it here.

Microsoft warns against Malware campaign using File Hosting Services in Business Email Compromise attacks

Microsoft warns of cyberattacks leveraging trusted file hosting services like SharePoint, OneDrive, and Dropbox to evade detection and complicate attribution.

Summary

• These campaigns aim to compromise identities and devices, conduct business email compromise (BEC) attacks, commit financial fraud, exfiltrate data, and enable lateral movement.
• The tactic, called living-off-trusted-sites (LOTS), uses legitimate services to bypass email security filters, as traffic from these platforms often appears trustworthy.
• Since April 2024, phishing campaigns have exploited these file-sharing platforms by sharing files with restricted access and view-only modes to limit detection.
• The attacks frequently start with a compromised account from a trusted vendor, which stages malicious files on file-sharing services and sends them to targeted recipients.
• Victims must log in to view the shared files, often re-authenticating with a one-time password (OTP), which helps attackers capture their login details.
• Once access is granted, victims are redirected to an adversary-in-the-middle (AitM) phishing page, capturing passwords and two-factor authentication (2FA) tokens.
• The stolen credentials enable attackers to perform further BEC scams, financial fraud, and access other accounts and systems within the organization.
• A new AitM phishing kit, Mamba 2FA, available as phishing-as-a-service (PhaaS), helps threat actors bypass MFA protections, instantly sending stolen credentials to attackers via Telegram.
• Read more about it here

Over 8 million Android users are at risk of malware infection from 200+ malicious apps found on Google PlayStore

A 2024 report by Zscaler highlighted that over 200 malicious apps were found on Google Play between June 2023 and April 2024, with over eight million installs, posing a major mobile threat.

Summary

• The Joker malware was the most common, making up 38% of these malicious apps, covertly subscribing users to premium services via WAP fraud.
• Adware (35%) and Facestealer (14%), which steals Facebook credentials, were also significant malware types among the detected apps.
• The “Tools” category on Google Play was the most targeted for malware, representing 48% of infected apps, followed by malicious personalization (15%) and photography apps (11%).
• Trojan attacks comprised nearly half of mobile malware, impacting sectors like technology (18%), education (18%), and manufacturing (14%), with education seeing a 136% increase in attacks.
• Mobile banking malware increased by 29%, and mobile spyware surged by 111%, with India, the U.S., and Canada experiencing the highest mobile attack rates.
• Read more about it here

Sources

• https://thehackernews.com/2024/10/malvertising-campaign-hijacks-facebook.html
• https://thehackernews.com/2024/10/microsoft-detects-growing-use-of-file.html
• https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
• https://www.infosecurity-magazine.com/news/eight-million-download-200-mal/