An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency.
Security researchers with Bitdefender's Advanced Threat Control (ATC) team discovered the new malware and dubbed it S1deload Stealer due to its extensive use of
DLL sideloading for evading detection.
"Between July and December 2022, Bitdefender products detected more than 600 unique users infected with this malware," Bitdefender researcher Dávid Ács
said.
Victims are tricked into infecting themselves using social engineering and comments on FaceBook pages that push archives with adult themes (e.g., AlbumGirlSexy.zip, HDSexyGirl.zip, SexyGirlAlbum.zip, and more).
If the user downloads one of the linked archives, they will instead get an executable signed with a valid Western Digital digital signature and a malicious DLL (WDSync.dll) containing the final payload.
Once installed on victims' devices, S1deload Stealer can be instructed by its operators to perform one of several tasks after connecting to the command-and-control (C2) server.
As Bitdefender discovered, it can download and run additional components, including a headless Chrome web browser that runs in the background and emulates human behavior to artificially boost view counts on YouTube videos and Facebook posts.
On other systems, it can also deploy a stealer that decrypts and exfiltrates saved credentials and cookies from the victim's browser and the Login Data SQLite database or a cryptojacker that will mine BEAM cryptocurrency.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
