The SYS01 infection chain uses DLL sideloading to steal information. Learn how to protect your business from this cybersecurity threat.
Morphisec, an Israel-based security solutions provider, reported that an advanced information-stealing malware dubbed SYS01 aims to steal access to Facebook business accounts and credentials from Chromium-based browsers. The Morphisec researcher has also seen how the SYS01 malware attacks employees of critical government infrastructure, manufacturing companies, and other industries.
This malware attack is similar to another campaign dubbed S1deload Stealer by Bitdefender, but the final payload is not the same, leaving open the question of who is behind the SYS01 stealer attack campaign.
Jump to:
SYS01 infection chain
The SYS01 malware attack begins by luring a victim into clicking a fake Facebook profile URL, advertisement, or link to live streams, free apps, movies, or games. When the user clicks on the lure, the download of a ZIP file begins.
The ZIP file contains a loader part and a final payload. The loader part consists of a legitimate application that is vulnerable to DLL sideloading. Once the victim executes the legitimate file, it silently loads a first payload contained in a DLL file contained in the same folder as the legitimate application.
As Morphisec researcher Arnold Osipov mentioned, the loader can be any type of executable file, such as Rust and Python executables. However, the behavior is always the same when it is run: it runs the code of a malicious DLL contained in the ZIP file.
The malicious DLL, in turn, runs an Inno-Setup installer that unpacks and drops the PHP code responsible for stealing and leaking information (Figure A).
Figure A
Different scenarios can occur with the charger part. To begin with, the ZIP file can contain the necessary payload of the second stage. If it is not in the ZIP file, the second stage payload is likely downloaded from an attacker-controlled C2 server before being decrypted and executed.
Information thief SYS01
Once the loader runs successfully, the Inno-Setup installer is launched. The installer drops a PHP application with additional files:
- Index.php takes care of the main functionalities of the malware.
- include.php sets malware persistence through scheduled tasks; is the file executed by the installer.
- version.php contains the version of the malware.
- Rhc.exe hides the console window from launched programs, allowing malware to be more stealthy by not displaying specific windows to the currently logged on user.
- rss.txt is a base64-encoded file, containing an executable file written in Rust. The executable gets the current date and time and decrypts the encryption keys from Chromium-based browsers. The malware obtains the date and time to know when to set persistence on scheduled tasks.
As Osipov pointed out, the older PHP files were not obfuscated, but the newer versions of the malware were encoded with the commercial tools ionCube and Zephir.
Once the malware is running, it sets up a configuration array that contains various information, including a list of randomly chosen C2 servers used in each malware execution. The malware can also download and execute files and commands, as well as being able to update itself.
SYS01 steals private data
The SYS01 thief can obtain all cookies and credentials from Chromium-based browsers.
The malware checks if the user has a Facebook account. If the user is logged into that account, the malware queries Facebook’s GUI for a token and steals all of the victim’s Facebook information. All stolen information is pulled to a C2 server.
How to protect yourself from the SYS01 malware threat
Sideloading DLLs is possible because of the DLL search order implemented in Microsoft Windows. Some developers have this problem in mind when programming their software and create code that is specifically not vulnerable to this technique.
However, Morphisec pointed out that most programmers don’t take security into account when developing, so companies need to add more protection against that technique:
- Set users’ privileges so that they cannot install third-party software that can exploit DLL sideloading.
- Monitor for DLL sideloading warning signs. Unsigned DLLs used by signed executables should generate such warnings, as well as suspicious load paths.
- Use security tools like DLLSpy or Windows Features Hunter to try to detect DLL sideloading. Resources like Hijack.Libs can also be helpful, as it lists many applications vulnerable to DLL sideloading.
- Keep operating systems and all software updated and patched to avoid being compromised by a common vulnerability.
- Train employees to spot common social engineering tricks and be aware of the risks of downloading third-party content from the Internet, especially pirated software that often contains malware loaders.
Read below: Safety awareness and training policy (Tech Republic Premium)
Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.
