The SYS01 infection chain utilizes DLL sideloading to take details. Find out how to safeguard your organization from this cybersecurity hazard.
Image: SomYuZu/Adobe Stock Morphisec, a security option supplier based in Israel, has actually reported that a sophisticated info thief malware dubbed SYS01 is aimed at taking gain access to Facebook service accounts and Chromium-based browsers ‘credentials. Morphisec’s scientist has likewise seen the SYS01 malware attack critical government infrastructure workers, manufacturing companies and other industries.
This malware attack resembles another project called S1deload Thief by Bitdefender, yet the final payload is not the exact same, leaving the question open regarding who lags the SYS01 stealer attack campaign.
SYS01 infection chain
The SYS01 malware attack begins by luring a victim into clicking a URL from a phony Facebook profile, advertisement, or link to live streams, complimentary applications, motion pictures or games. When the user clicks the lure, the download of a ZIP archive file begins.
The ZIP file consists of a loader part and a last payload. The loader part consists of a legitimate application that is susceptible to DLL sideloading. As soon as the victim runs the genuine file, it quietly loads a very first payload included in a DLL file contained in the same folder as the legitimate application.
As discussed by Morphisec researcher Arnold Osipov, the loader might be any kind of executable file, such as Rust and Python executables. Yet, the habits is constantly the very same when run: It carries out the code from a harmful DLL file contained in the ZIP file.
The harmful DLL in turn executes an Inno-Setup installer that decompresses and drops PHP code accountable for taking and exfiltrating details (Figure A).
Image: Morphisec. Infection chain for the SYS01 attack. Various scenarios may occur with the loader part. For starters, the ZIP file may contain the needed second phase payload. If it is not in the ZIP file, the second phase payload is most likely being downloaded from an attacker-controlled C2 server prior to being deciphered and executed.
SYS01 info stealer
After the loader is executed successfully, the Inno-Setup installer is carried out. The installer drops a PHP application with extra files:
- Index.php supervises of the primary malware performances.
- Include.php develops the malware perseverance via set up tasks; it is the file carried out by the installer.
- Version.php contains the malware version.
- Rhc.exe conceals the console window of started programs, enabling the malware to be stealthier by not showing specific windows to the presently logged-in user.
- Rss.txt is a base64 encoded file, which contains an executable file composed in Rust. The executable gets the present date and time and decrypts Chromium-based browsers file encryption keys. The date and time is brought by the malware to know when to establish determination in arranged tasks.
As noted by Osipov, older PHP files were not obfuscated, yet the newer variations of the malware have actually been encoded using industrial tools ionCube and Zephir.
Once the malware is running, it establishes a configuration array consisting of various info, including a list of C2 servers arbitrarily selected and used at every execution of the malware. The malware is likewise able to download and perform files and commands, in addition to having the ability to upgrade itself.
SYS01 steals specific data
SYS01 thief is able to get all cookies and qualifications from Chromium-based internet browsers.
The malware checks if the user has a Facebook account. If the user is logged in to that account, the malware queries Facebook’s graph application shows user interface to get a token and steals all of the victim’s Facebook info. All of the stolen info is exfiltrated to a C2 server.
How to protect from the SYS01 malware risk
DLL sideloading is possible due to the fact that of the DLL search order carried out in Microsoft Windows. Some designers have this issue in mind when setting their software and develop code that is specifically not susceptible to this technique.
Nevertheless, Morphisec noted that many developers do not have security in mind when establishing, so business require to add more defense against that technique:
- Set users’ benefits, so they can not set up third-party software that might make use of DLL side loading.
- Screen indication for DLL sideloading. Unsigned DLL files utilized by signed executables must raise such cautions, in addition to suspicious filling courses.
- Usage security tools such as DLLSpy or Windows Includes Hunter to try to discover DLL sideloading. Resources such as Hijack.Libs can likewise work, as it notes a lot of applications vulnerable to DLL sideloading.
- Keep running systems and all software application as much as date and covered in order to prevent being jeopardized by a common vulnerability.
- Train workers to identify common social engineering techniques and to be knowledgeable about the risks of downloading third-party content from the internet, particularly pirated software application which frequently consists of malware loaders.
Read next: Security awareness and training policy (TechRepublic Premium)
Disclosure: I work for Trend Micro, but the views revealed in this post are mine.