Researchers from Bitdefender have discovered an ongoing malware campaign that is targeting Facebook and YouTube users. The malware, named S1deload Stealer, is a DLL side-loading threat that bypasses security defenses to execute malicious components.
The malware is able to steal user credentials, emulate human behavior to artificially boost video and other content engagement, assess the value of individual accounts, mine for BEAM cryptocurrency, and propagate the malicious link to the user’s followers.
The objective of the campaign is to hijack the user’s Facebook and YouTube accounts and rent out access to raise view counts and likes for videos and posts shared on the platforms.
More than 600 unique users have been impacted during the six-month period between July and December 2022. The majority of the infections are located in Romania, Turkey, France, Bangladesh, Mexico, Peru, and Canada. To achieve this, users are lured with adult-themed content via Facebook posts that contain links to ZIP archives, which, when extracted, triggers an intricate infection sequence leading to the deployment of the malware.
The stealer further captures saved credentials and cookies from web browsers, conducts Facebook profile checks, and also loads a cryptojacker that mines cryptocurrency without the victim’s knowledge or consent.
The malware author can create a feedback loop, as the more PCs they can infect, the more they can spam on Facebook, the more clicks they can generate to infect more PCs. The stealer has serious privacy implications for the victim infected with it, exfiltrating the victim’s saved credentials, including email, social media, or even financial accounts. The threat actor can access these accounts or sell them on the dark web.