S1deload Stealer malware attacks Facebook and YouTube accounts
There is an ongoing malware campaign that targets YouTube and Facebook users, hijacking social media accounts and infecting computers with new information about who use the devices to mine cryptocurrency.
Security researchers from Bitdefender's Advanced Threat Control (ATC) team discovered this new malware and named it S1deload Stealer. This is due to heavy use of DLL sideloading to avoid detection. Between July and December 2022, Bitdefender products detected over 600 unique users who were infected with this malware.
Victims are tricked into infecting their system by themselves through social engagements and comments on his Facebook page where he distributes adult themed archives (AlbumGirlSexy.zip, HDSexyGirl.zip, SexyGirlAlbum.zip, etc.).
When the user downloads one of his linked archives, he receives an executable cookie with a valid Western digital signature and a malicious DLL (WDSync.dll) containing the final payload. increase.
Immediately it has been installed on the unsuspecting victims device, S1deload Stealer can be instructed by its operators to carry out one of several tasks after connecting to the command-and-control (C2) server.
S1deload Stealer can download and run extra components including a chrome web browser that runs in the background and emulates human behaviour to artificially boost view counts on YouTube videos and Facebook posts.
On other systems, it can also deploy a stealer that decrypts and exfiltrates saved credentials and cookies from the victim's browser and the Login Data SQLite database or a cryptojacker that will mine BEAM cryptocurrency.
If it is successful to steal a Facebook account, the malware will also attempt to work on its actual value by leveraging the Facebook Graph API. This is done in order to find out if the victim is the admin of a Facebook page or group, if it pays for ads, or is linked to a business manager account.
The stealer component observed steals the saved credentials from the victim's browser then importing them to the malware author's server. Malware attacks use newly acquired credentials to spam on social media thereby infecting more computers and creating a feedback loop.
To avoid getting your system infected by the S1deload Stealer or hacking your social media accounts, never run executable files from unknown sources and always keep your anti-malware software up to date.
The Indicators of Compromise (IOC) and rules associated with this malware campaign can be found at the end of the Bitdefender whitepaper (PDF).
Threat intelligence firm SEKOIA also discovered a new information-stealing strain called Stealc, touted on the dark web and hacking forums as offering an easy-to-use admin panel and extensive data exfiltration capabilities.
Unlike S1deload Stealer, Stealc malware is distributed via cracked fake software. This is a very common technique that is also used to push other information-stealing programs like Vidar, Redline, Raccoon and Mars.