New S1deload Malware Hijacking Users' Social Media Accounts and Mining Cryptocurrency
An active malware campaign has set its sights on Facebook and YouTube users by leveraging a new information stealer to hijack the accounts and abuse the systems' resources to mine cryptocurrency.
Once infected, S1deload Stealer steals user credentials, emulates human behavior to artificially boost videos and other content engagement, assesses the value of individual accounts (such as identifying corporate social media admins), mines for BEAM cryptocurrency, and propagates the malicious link to the user's followers.
Put differently, the goal of the campaign is to take control of the users' Facebook and YouTube accounts and rent out access to raise view counts and likes for videos and posts shared on the platforms.
More than 600 unique users are estimated to have been impacted during the six-month period between July and December 2022.
To pull off the scheme, users are lured with adult-themed content via Facebook posts that contain links to ZIP archives, which, when extracted, triggers an intricate infection sequence leading to the deployment of the malware.
The malware author can therefore create a feedback loop: the more PCs they can infect, the more they can spam on Facebook, the more clicks they can generate to infect more PCs.
Besides being capable of downloading additional modules on the compromised host, the malware is also responsible for launching a headless Chrome browser that makes use of an extension to artificially inflate YouTube video views.
The stealer further captures saved credentials and cookies from web browsers, conducts Facebook profile checks, and also loads a cryptojacker that mines cryptocurrency without the victim's knowledge or consent.
Found infrastructure overlaps with a website called up view that advertises options to buy YouTube views, likes, and subscribers as well as options to increase Facebook post likes, comments, followers, and video views.
S1deload stealer has serious privacy implications for the victim infected with it. The malware exfiltrates the victim's saved credentials, including email, social media or even financial accounts. The threat actor can access these accounts or sell them on the dark web.