New S1deload Malware Hijacking Users’ Social Media Accounts and Mining Cryptocurrency

1 year ago AndyC

An
active
malware
campaign
has
set
its
sights
on
Facebook
and
YouTube
users
by
leveraging
a
new
information
stealer
to
hijack
the
accounts
and
abuse
the
systems’
resources
to
mine
cryptocurrency.

New S1deload Malware Hijacking Users' Social Media Accounts and Mining Cryptocurrency

An
active
malware
campaign
has
set
its
sights
on
Facebook
and
YouTube
users
by
leveraging
a
new
information
stealer
to
hijack
the
accounts
and
abuse
the
systems’
resources
to
mine
cryptocurrency.

Bitdefender
is
calling
the
malware

S1deload
Stealer
for
its
use
of

DLL
side-loading
techniques
to
get
past
security
defenses
and
execute
its
malicious
components.

“Once
infected,
S1deload
Stealer
steals
user
credentials,
emulates
human
behavior
to
artificially
boost
videos
and
other
content
engagement,
assesses
the
value
of
individual
accounts
(such
as
identifying
corporate
social
media
admins),
mines
for
BEAM
cryptocurrency,
and
propagates
the
malicious
link
to
the
user’s
followers,”
Bitdefender
researcher
Dávid
ÁCS

said.

Put
differently,
the
goal
of
the
campaign
is
to
take
control
of
the
users’
Facebook
and
YouTube
accounts
and
rent
out
access
to
raise
view
counts
and
likes
for
videos
and
posts
shared
on
the
platforms.

More
than
600
unique
users
are
estimated
to
have
been
impacted
during
the
six-month
period
between
July
and
December
2022.
A
majority
of
the
infections
are
located
in
Romania,
Turkey,
France,
Bangladesh,
Mexico,
Peru,
and
Canada.

To
pull
off
the
scheme,
users
are
lured
with
adult-themed
content
via
Facebook
posts
that
contain
links
to
ZIP
archives,
which,
when
extracted,
triggers
an
intricate
infection
sequence
leading
to
the
deployment
of
the
malware.

“The
malware
author
can
therefore
create
a
feedback
loop:
the
more
PCs
they
can
infect,
the
more
they
can
spam
on
Facebook,
the
more
clicks
they
can
generate
to
infect
more
PCs,”
Bitdefender
said.

Besides
being
capable
of
downloading
additional
modules
on
the
compromised
host,
the
malware
is
also
responsible
for
launching
a
headless
Chrome
browser
that
makes
use
of
an
extension
to
artificially
inflate
YouTube
video
views.

The
stealer
further
captures
saved
credentials
and
cookies
from
web
browsers,
conducts
Facebook
profile
checks,
and
also
loads
a
cryptojacker
that
mines
cryptocurrency
without
the
victim’s
knowledge
or
consent.

Bitdefender
said
it
found
infrastructure
overlaps
with
a
website
called
upview[.]us
that
advertises
options
to
buy
YouTube
views,
likes,
and
subscribers
as
well
as
options
to
increase
Facebook
post
likes,
comments,
followers,
and
video
views.

“S1deload
stealer
has
serious
privacy
implications
for
the
victim
infected
with
it,”
the
Romanian
company
said.
“The
malware
exfiltrates
the
victim’s
saved
credentials,
including
email,
social
media
or
even
financial
accounts.
The
threat
actor
can
access
these
accounts
or
sell
them
on
the
dark
web.”

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts