Active malware campaigns are targeting users of Facebook and YouTube by leveraging new information-stealing programs to hijack accounts and exploit system resources to mine cryptocurrency.
Bitdefender calling malware S1 Deload Stealer For using DLL sideloading techniques to breach security defenses and execute malicious components.
“Once infected, the S1deload Stealer can steal user credentials, emulate human behavior to artificially increase the engagement of videos and other content, and assess the value of individual accounts (e.g., corporate social media administrators). ), mining the BEAM cryptocurrency and creating malicious links for users’ followers,” said Bitdefender researcher Dávid ÁCS.
In other words, the purpose of this campaign is to take control of users’ Facebook and YouTube accounts and rent out access to increase the views and likes of videos and posts shared on the platform. .
It is estimated that over 600 unique users were affected in the six months from July to December 2022. The majority of infections occur in Romania, Turkey, France, Bangladesh, Mexico, Peru, and Canada.
To make this scheme successful, users are directed to adult-themed content via Facebook posts containing links to ZIP archives. Once extracted, it triggers a complex infection sequence leading to malware deployment.
“So malware authors can create a feedback loop: the more PCs they can infect, the more spam they can generate on Facebook, generating more clicks and infecting more PCs.” ” said Bitdefender.
Besides being able to download additional modules on the compromised host, the malware is also responsible for launching a headless Chrome browser that utilizes extensions to artificially inflate YouTube video views.
The stealer also retrieves saved credentials and cookies from web browsers, performs Facebook profile checks, and loads cryptojackers that mine cryptocurrency without the victim’s knowledge or consent.
Bitdefender said it found an infrastructure overlap with a website called upview.[.]We advertise options to buy YouTube views, likes and subscribers and more Facebook post likes, comments, followers and video views.
“The S1deload stealer has serious implications for the privacy of infected victims,” said the Romanian company. “Malware steals victim-stored credentials such as email, social media, and even financial accounts. Attackers can access these accounts or sell them on the dark web.”
