Beware of fake Facebook ads containing dangerous malware

The world's leading security company Bitdefender (Romania) has just issued a warning about a new sophisticated attack campaign, in which cybercriminals have taken advantage of Meta's advertising platform to create fake ads, imitating popular services to trick Facebook users into clicking on malicious links.

The SYS01 malware, once installed, silently steals sensitive information such as passwords, credit card numbers and other personal data, allowing hackers to hijack accounts and commit financial fraud.

According to Bitdefender's warning, this attack is happening on a large scale, in which cybercriminals impersonate famous brands such as Netflix, Office 365 and CapCut and cause a lot of damage to users.

Malvertising campaigns, which mainly focus on tricking users into installing malware and stealing personal information, have been hitting Meta platforms like Facebook hard over the past month, researchers said in a report.

Cybercriminals are constantly innovating their tactics, using fake ads to lure users. From impersonating entertainment platforms like Netflix with the promise of “free, ad-free” service, to pretending to be productivity tools like photo and video editing software, or even video games, they aim to scam users.

“Some ads can last for weeks, primarily targeting elderly men,” Bitdefender Labs’ report added.

These ads often contain links to the MediaFire cloud storage service, which lure users into downloading malicious .zip files. Inside these files are applications built using web technology that contain malicious code. When users open the application, the malicious code is activated and attacks the system.

Bitdefender notes that malware often hides itself very cleverly inside fake applications, operating silently and causing serious damage without leaving obvious traces. This makes it very difficult for users to detect that they have become victims of cyber attacks.

The infection chain of malware often goes through many sophisticated stages to avoid detection by security software. From penetrating the system through security holes, malware will automatically spread, encrypt important files and even create copies of itself to maintain its existence.

The primary goal of the SYS01 infostealer malware is to steal sensitive information from Facebook accounts, specifically targeting business pages for illicit gain. With the ability to update its control commands from a central server, SYS01 can flexibly change its attack behavior, making it more difficult to detect and prevent. The information collected from victims can be used for other malicious purposes or sold on the dark web.

Bitdefender has discovered a vast network of nearly 100 malicious domains, used by hackers to launch fraudulent advertising campaigns aimed at stealing users' personal information.

Bitdefender researchers said the malware is very sophisticated, using many tricks to avoid detection by antivirus software. One of those tricks is the ability to detect virtual environments (sandboxes) to disguise its malicious behavior.

“When cybersecurity companies start flagging and blocking a specific version of the loader, hackers respond quickly by updating the code. They then push new ads with the updated malware to bypass the latest security measures,” Bitdefender added.

Hacked Facebook Business accounts have become a valuable resource for malicious advertising campaigns. By leveraging the features of the Facebook advertising platform, cybercriminals can easily create and distribute fake ads automatically, increasing the likelihood of defrauding users and causing economic loss.

First appearing in September 2024, the attack campaign quickly spread globally, targeting millions of users in major regions such as Europe, North America, Australia and Asia. In particular, middle-aged men aged 45 and above were the main targets.