2/23/2023Ravie LakshmananCryptocurrency / Malware
An active malware campaign has been targeting Facebook and YouTube users, using a new information thief to hijack the accounts and misuse the system’s resources to mine cryptocurrency.
Bitdefender calls the malware S1deload Stealer because it uses DLL sideloading techniques to evade security defenses and run its malicious components.
“After infection, S1deload Stealer steals user credentials, emulates human behavior to artificially increase engagement of videos and other content, assesses the value of individual accounts (e.g. user’s followers),” said Bitdefender researcher Dávid ÁCS.
In other words, the goal of the campaign is to take control of users’ Facebook and YouTube accounts and rent access to increase the number of views and likes for videos and posts shared on the platforms .
It is estimated that more than 600 unique users were affected in the six months between July and December 2022. A majority of the infections are in Romania, Turkey, France, Bangladesh, Mexico, Peru and Canada.
To pull off the scheme, users with adult content are lured via Facebook posts containing links to ZIP archives which, when extracted, trigger a complicated infection sequence leading to malware deployment.
“The malware author can therefore create a feedback loop: the more PCs they can infect, the more spam they can send on Facebook, the more clicks they can generate to infect more PCs,” Bitdefender said.
In addition to being able to download additional modules onto the compromised host, the malware is responsible for launching a headless Chrome browser that uses an extension to artificially increase YouTube video views.
The thief also collects saved login credentials and cookies from web browsers, conducts checks on Facebook profiles, and also downloads a cryptojacker that mines cryptocurrency without the victim’s knowledge or consent.
Bitdefender said it found infrastructure overlapping with a site called upview[.]us promoting options to buy YouTube views, likes and subscribers, and options to increase Facebook post likes, comments, followers and video views.
“S1deload Stealer has a serious impact on the privacy of the victim infected with it,” the Romanian company said. “The malware exfiltrates the victim’s stored credentials, including email, social media, or even financial accounts. The attacker can access these accounts or sell them on the dark web.”
Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we publish.
