The SYS01 infection chain uses DLL sideloading to steal information. Learn how to protect your business from this cybersecurity threat.
Morphisec, a security solutions provider based in Israel, has reported that it is a sophisticated information thief malware called SYS01 is aimed at stealing access to corporate Facebook accounts and Chromium-based browsers. The Morphisec researcher has also seen the SYS01 malware attack critical government infrastructure workers, manufacturing companies and other industries.
This malware attack is similar to another dubbed campaign S1deload stealer by Bitdefender, but the final payload is not the same, leaving open the question of who is behind the SYS01 stealer attack campaign.
SYS01 infection chain
The SYS01 malware attack starts by tricking a victim into clicking on a URL of a fake Facebook profile, advertisement or link to live streams, free applications, movies or games. When the user clicks on the lure, a ZIP archive file download begins.
The ZIP file contains a loader portion and a final load. The loader part consists of a legitimate application that is vulnerable to DLL sideloading. Once the victim executes the legitimate file, it silently loads an initial payload in a DLL file in the same directory as the legitimate application.
As mentioned by Morphisec researcher Arnold Osipov, the loader can be any kind of executable, such as Rust and Python executables. Yet the behavior is always the same when executed: it executes the code of a malicious DLL file contained in the ZIP file.
The malicious DLL in turn runs an Inno-Setup installer that decompresses and drops the PHP code responsible for stealing and exfiltrating information (Image A).
Several scenarios can occur with the charger part. For starters, the ZIP file may contain the necessary second stage payload. If it is not in the ZIP file, the second stage payload is likely downloaded from an attacker-controlled C2 server before being decrypted and executed.
SYS01 information thief
After the loader runs successfully, the Inno-Setup installer will run. The installer drops a PHP application with additional files:
- index.php is responsible for the main malware functionalities.
- Include.php determines malware persistence through scheduled tasks; it is the file that is executed by the installer.
- Version.php contains the malware version.
- Rhc.exe hides the console window of running programs, allowing the malware to be more stealthy by not showing specific windows to the currently logged in user.
- RSS.txt is a base64 encoded file, which contains an executable written in Rust. The executable gets the current date and time and decrypts Chromium-based browser encryption keys. The date and time are retrieved by the malware to know when to establish persistence in scheduled tasks.
As noted by Osipov, older PHP files were not obfuscated, but the newer versions of the malware are encrypted using the commercial tools ionCube and Zephir.
Once the malware is active, it constructs a configuration array containing various information, including a list of C2 servers that are chosen at random and used with each execution of the malware. The malware can also download and execute files and commands, in addition to being able to update itself.
SYS01 steals some data
SYS01 stealer can retrieve all cookies and credentials from Chromium based browsers.
The malware checks whether the user has a Facebook account. If the user is logged into that account, the malware asks Facebook’s graphical application programming interface for a token and steals all of the victim’s Facebook information. All stolen information is exfiltrated to a C2 server.
How to protect against the SYS01 malware threat
DLL sideloading is possible because of the DLL search order implemented in Microsoft Windows. Some developers have this problem in mind when programming their software and create code that is specifically not vulnerable to this technique.
However, Morphisec noted that most programmers don’t have security in mind when developing, so companies should add more protection against that technique:
- Set user privileges so they can’t install third-party software that could abuse DLL sideloading.
- Watch for DLL sideloading warning signs. Unsigned DLLs used by signed executables should give such warnings as well as suspicious load paths.
- Use security tools such as DLLSpy or Hunter for Windows features to detect DLL sideloading. Resources such as Hijack.Libs may also be helpful, as it lists a large number of applications that are vulnerable to DLL sideloading.
- Keep operating systems and all software up to date and patched to avoid being compromised by a common vulnerability.
- Train employees to recognize common social engineering tricks and to be aware of the risks of downloading third-party content from the Internet, especially pirated software that often contains malware loaders.
Read more: Security awareness and training policy (Tech Republic Premium)
Revelation: I work for Trend Micro, but the opinions expressed in this article are my own.