Security agencies identified a cybercrime group based in Vietnam as the source of a malicious social media campaign that has infected more than 500,000 devices worldwide with information-stealing malware, including S1deload Stealer and SYS01stealer, over the last three months. The campaign, known as “malverposting,” involves using paid social media promotions on platforms such as Twitter and Facebook to propagate malicious software and other security threats. The attacker creates new business profiles and takes over already popular accounts to serve advertisements that claim to offer free downloads of adult-rated photo albums. The ZIP files containing these images contain executable files, which, when activated, infect the device and deploy the stealer malware to harvest session cookies, account data, and other sensitive information.
The malware’s attack chain is highly effective, creating a vicious cycle wherein the stolen information helps in the growing number of hijacked Facebook bot accounts later used to push more sponsored posts and scale the scheme further. To avoid detection by Facebook, the threat actor disguises the newly generated business profile pages as photographer accounts. Australia, Canada, India, the United Kingdom, and the United States got reports of the infections. The PHP-based stealer is continually evolving to incorporate more detection evasion features, indicating that the group behind the campaign is actively refining and retooling tactics in response to public disclosures.
According to Nati Tal, a security researcher at Guardio Labs, “The malicious payload is quite sophisticated and varies all the time, introducing new evasive techniques.” Group-IB recently revealed details of an ongoing phishing operation that targets Facebook users by tricking them into entering their credentials on fake copycat sites designed to steal their account credentials and take over their profiles. In a related development, Malwarebytes uncovered a malvertising campaign that tricks users searching for games and food recipes on Google into serving malicious ads that redirect them to fake websites created on Weebly to conduct tech support scams.
