An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency.
Security researchers with Bitdefender’s Advanced Threat Control (ATC) team discovered the new malware and dubbed it S1deload Stealer due to its extensive use of DLL sideloading for evading detection.
“Between July and December 2022, Bitdefender products detected more than 600 unique users infected with this malware,” Bitdefender researcher Dávid Ács said.
Victims are tricked into infecting themselves using social engineering and comments on FaceBook pages that push archives with adult themes (e.g., AlbumGirlSexy.zip, HDSexyGirl.zip, SexyGirlAlbum.zip, and more).
If the user downloads one of the linked archives, they will instead get an executable signed with a valid Western Digital digital signature and a malicious DLL (WDSync.dll) containing the final payload.
Once installed on victims’ devices, S1deload Stealer can be instructed by its operators to perform one of several tasks after connecting to the command-and-control (C2) server.
As Bitdefender discovered, it can download and run additional components, including a headless Chrome web browser that runs in the background and emulates human behavior to artificially boost view counts on YouTube videos and Facebook posts.
On other systems, it can also deploy a stealer that decrypts and exfiltrates saved credentials and cookies from the victim’s browser and the Login Data SQLite database or a cryptojacker that will mine BEAM cryptocurrency.
If it manages to steal a Facebook account, the malware will also attempt to estimate its actual value by leveraging the Facebook Graph API to find out if the victim is the admin of a Facebook page or group, if it pays for ads, or is linked to a business manager account.
“The stealer component we observed in the wild steals the saved credentials from the victim’s browser, exfiltrating them to the malware author’s server,” Ács added.
“The malware author uses the newly obtained credentials to spam on social media and infect more machines, creating a feedback loop.”
To avoid getting infected and having your social media accounts hijacked, you should never run executables from unknown sources and always keep your anti-malware software up to date.
Indicators of compromise (IOCs) and YARA rules linked to this malware campaign are available at the end of Bitdefender’s whitepaper (PDF).
Threat intelligence company SEKOIA also spotted a new information stealer strain known as Stealc and advertised on the dark web and hacking forums as featuring an easy-to-use administration panel and extensive data-stealing capabilities.
Unlike S1deload Stealer, the Stealc malware is distributed via fake cracked software, a highly popular tactic also used to push other info stealers like Vidar, Redline, Raccoon, and Mars.