Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

SYS01 Infostealer and Rilide Malware Likely Developed by the Same Threat Actor

Drawing on extensive proprietary research, Trustwave SpiderLabs believes the threat actors behind the Facebook malvertising infostealer SYS01 are the same group that developed the previously reported Rilide malware.

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01 – Part 2 lays out evidence tying the latest Rilide (V4) version to SYS01. The report noted the code from the two malware types overlaps in too many areas to be a simple coincidence. Additionally, the team found that some Rilide campaigns prepare the same way for a future SYS01 attack.

SpiderLabs didn’t intend to find a connection between SYS01 and Rilide, but such associations are a common occurrence.

“We weren't really too surprised about the connection, as threat groups tend to utilize the same/similar malware when conducting campaigns,” said Greg Monson, Manager of the SpiderLabs Cyber Threat Intelligence Team.

SpiderLabs has been at the forefront of this investigation for more than a year, posting a detailed investigation of SYS01 in the July 15 blog Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01 after having uncovered Rilide in August 2023. The SYS01 report itself is an offshoot of previous research SpiderLabs conducted into Ov3r_Stealer, an infostealer distributed using Facebook advertising and phishing emails that stole credentials and crypto wallets.

The danger SYS01 and other social media-focused malware campaigns pose is that they rarely stand out as a threat to the average person.

“Most typical users wouldn't think twice about an advertisement they see on a popular social media platform, but users should remain vigilant even when doing normal browsing activity, as it only takes one slip up to have major implications,” said Monson.

On top of this major revelation, Trustwave SpiderLabs conducted a top-to-bottom review of SYS01, detailing updates to the malware's capabilities and the evolution of how a SYS01 campaign is conducted.

The updates include a defensive evasion capability via Windows Management Instrumentation Command-line (WMIC) via a script that employs a strategic approach by retrieval of the system's hardware configuration using WMIC, a fallback command and control server for use if the primary C2 servers become inaccessible, and an updated exfiltration process.

The research also looks at how SYS01 campaigns have developed since they were first uncovered in 2022 and includes an analysis of the command-and-control infrastructure the threat actors use.

The report shows that the SYS01 malware campaign is a complex challenge within the realm of cybersecurity. Recent iterations of this malware underscore the ongoing evolution of threat actors' strategies and the sophistication of their tools to bypass detection.

Monson concluded, “The evolution from its initial versions to the latest release underscores enhancements and serves as a constant reminder that malicious actors will continue to refine their TTPs, even if using common delivery methods for their malware, to have the most effective impact they can on their victims.”

Please download the complete Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01 – Part 2 report for all the details and technical information needed to best understand how the threat actors operate.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo