A new malware campaign called S1deload Stealer has been discovered by Bitdefender’s Advanced Threat Control (ATC) team, targeting YouTube and Facebook users. The malware infects computers, hijacks social media accounts, and uses devices to mine cryptocurrency. Security researchers discovered that the malware uses DLL sideloading to evade detection. Bitdefender products detected over 600 unique users infected with the malware between July and December 2022.
The S1deload Stealer malware is primarily distributed using social engineering tactics, taking advantage of users’ curiosity and the lure of adult-themed content. Security researchers have reported that the attackers push archives with provocative titles like AlbumGirlSexy.zip, HDSexyGirl.zip, SexyGirlAlbum.zip, and more to entice unsuspecting users.
New S1deload Malware Hijacking Users' Social Media Accounts and Mining Cryptocurrency An active malware campaign has set its sights on Facebook and YouTube users by leveraging a new information stealer to hijack the accounts and abuse the systems' resour… https://t.co/MUAvA56uus
— Israel (@two_minwarning) February 23, 2023
These archives often contain executables signed with valid digital signatures, which make them appear legitimate, and a malicious DLL (WDSync.dll) containing the final payload. When the user downloads one of the linked archives, they instead get infected with the malware, which then proceeds to infect their computer.
This method of delivery is not new, and it’s a popular tactic used by cybercriminals to infect victims. Social engineering tactics have become effective for attackers to evade security measures and get users to install malware on their devices willingly.
Social Engineering Tactics
According to a Proofpoint report, attackers increasingly rely on social engineering tactics to trick users into installing malware. The report states that the number of phishing emails with malicious attachments or links increased by 300% in Q1 2021 compared to Q4 2020.
Attackers are also using social media platforms like Facebook and Twitter to spread malware. They use fake profiles and messages to lure users into clicking on links or downloading files. Once the user clicks on the link or downloads the file, their device gets infected with malware.
In some cases, attackers use more sophisticated tactics like spear-phishing, where they target specific individuals with tailored messages to trick them into revealing sensitive information. They might also use pretexting, where they impersonate a trusted entity like a bank or an organization to trick users into giving up their credentials.
Facebook Account Hijacking
The S1deload Stealer malware is especially nefarious as it targets Facebook accounts as well, in addition to YouTube. Once it has taken control of a Facebook account, the malware will try to estimate the value of the compromised account by leveraging the Facebook Graph API to find out if the account is linked to a Facebook page or group, if it pays for ads, or if it’s associated with a business manager account.
Moreover, the S1deload Stealer has a stealer component that can exfiltrate saved credentials and cookies from the victim’s browser and the Login Data SQLite database. The information stolen includes Facebook usernames, passwords, and cookies, as well as Google Chrome passwords, cookies, and credit card information.
The cybercriminals behind the malware can use these stolen credentials to further spread the malware on social media by using the victim’s accounts to post the same malicious links and files that initially infected their system. This creates a feedback loop where the malware infects more machines, and the attackers continue to steal more valuable data.
Bitdefender researchers emphasize that the S1deload Stealer malware campaign is ongoing, and more victims could be infected. They advise social media users never to run executables from unknown sources and always keep their anti-malware software up to date to prevent infections.
Facebook’s Response To The S1deload Stealer Malware
In response to the S1deload Stealer malware that hijacks Facebook accounts, the social media giant has intensified efforts to protect its users. The company advised its users to exercise caution when downloading any files from unknown sources and install anti-malware software to protect their devices.
Facebook also stated that it had taken steps to prevent the spread of S1deload Stealer on its platform. This includes removing malicious links and disabling accounts that share them. The company is also working with security researchers to track and block any new instances of malware.
“Protecting people’s accounts is a top priority for Facebook, and we are constantly working to improve our defenses against malicious actors,” a Facebook spokesperson said in a statement.
The company advised users to enable two-factor authentication on their accounts and be cautious of any unusual activity, such as unexpected login attempts or messages from unknown sources.
Facebook also stated that it had been actively collaborating with law enforcement agencies to identify and prosecute the perpetrators behind the S1deload Stealer campaign. It urged anyone who has fallen victim to the malware to report the incident to the appropriate authorities.
The company assured its users that it is committed to maintaining a safe and secure platform and will continue to invest in technology and personnel to detect and prevent threats like S1deload Stealer.
Prevention Measures
To avoid falling victim to the S1deload Stealer malware and other similar threats, security experts recommend taking some precautionary measures to stay safe online.
Firstly, users should be cautious of suspicious links or attachments in emails and messages from unknown senders. It’s crucial to avoid clicking on links or downloading attachments unless they’re from a trusted source.
Additionally, it’s important to keep antivirus and anti-malware software up to date to protect against the latest threats. Users should also be cautious of free downloads, especially cracked or modified software. These can often come bundled with malware that’s hidden inside the installation package.
It’s also advisable to regularly update software and operating systems with the latest security patches to prevent attackers from exploiting known vulnerabilities.
Another essential measure is to use strong passwords and enable two-factor authentication whenever possible. This can significantly reduce the risk of accounts being hijacked, even if attackers manage to steal login credentials.
Lastly, it’s essential to maintain a healthy level of skepticism when browsing the internet, especially when it comes to clicking on links or downloading files. By following these guidelines, users can protect themselves against malware attacks like S1deload Stealer and others that may emerge in the future.
Overall, while the threat of malware attacks can be daunting, there are plenty of steps users can take to protect themselves and stay safe online. By remaining vigilant and taking proactive measures to secure their devices and data, individuals can enjoy a worry-free browsing experience while minimizing the risk of becoming a victim of cybercrime.
Conclusion
The S1deload Stealer malware campaign targets YouTube and Facebook users through social engineering tactics. It infects computers, hijacks social media accounts, and uses devices to mine cryptocurrency. The malware uses DLL sideloading to evade detection, making it difficult for anti-malware software to detect. Users should be vigilant and avoid running executables from unknown sources to prevent their devices from being infected. Keeping anti-malware software up to date can also help prevent malware infections.