Facebook and YouTube users being targeted by new malware

Security researchers at Bitdefender have discovered a new malware that targets Facebook and YouTube users. Dubbed S1ideload Stealer, this malware campaign steals saved login credentials from infected devices and tries to hijack the user’s social media accounts. It also uses the device to mine cryptocurrencies.

According to Bitdefender’s Advanced Threat Control (ATC) team, the threat actors behind this campaign use social engineering and Facebook and YouTube comments to trick users into downloading the malware on their computers. They push a legitimate, digitally-signed executable in archives (.zip files) that mostly come in adult-themed names.

The executable itself is named similarly. But it doesn’t contain what those that download it are expecting. Instead, it loads malicious code the moment they click on it.

S1ideload Stealer relies on DLL sideloading techniques to avoid detection by the computer’s antivirus and other defense systems, hence that name. Once the malware is active, it connects to the command-and-control (C2) server to allow the threat actors remotely push commands to it.

As detailed by Bitdefender, the malware can download and run a headless Chrome browser in the background. It opens various Facebook posts and YouTube videos to artificially boost views without the victim’s knowledge.

This malware can also deploy a stealer to obtain saved login credentials. And if it gets access to a Facebook account, the malware can analyze whether the account manages any pages or groups, pays for ads, or if it has a linked business manager account.

This helps the attackers determine how valuable an account is, so they can execute commands accordingly. Last but not least, S1ideload Stealer can download and run a cryptocurrency miner. The attackers use the victim’s device to mine BEAM cryptocurrency.

S1ideload Stealer infected hundreds of users last year

The S1ideload Stealer malware campaign has been active since at least last year and infected hundreds of users. Bitdefender says it “detected more than 600 unique users infected with this malware” in the last six months of 2022, i.e. between July and December.

As anyone would do, the security firm encourages users to avoid downloading executable files from unknown sources. Always make sure that you are aware of what you are installing on your computer.

“Bitdefender products detect S1deload Stealer in all execution stages. We encourage users to never click on EXE files downloaded from untrusted sources. Additionally, users should never ignore alerts from security software,” a Bitdefender researcher said in a blog post (via). If you want to dive into all the technical details about this malware campaign, you can read Bitdefender’s whitepaper here.