Users of Facebook and YouTube are the target of an aggressive virus operation that uses a new information stealer to take over their accounts and use the networks’ resources to mine cryptocurrency.
Due to its use of DLL side-loading strategies to circumvent security measures and execute its malicious components, Bitdefender has dubbed the virus S1deload Stealer.
S1deload Stealer mines for BEAM cryptocurrency, assesses the value of individual accounts (such as identifying corporate social media admins), steals user credentials, imitates human behaviour to artificially boost video and other content engagement, and spreads the malicious link to the user’s followers, according to Bitdefender researcher Dávid CS.
In other words, the campaign’s objective is to seize control of users’ Facebook and YouTube accounts and rent out access in order to increase the number of views and likes received by uploaded videos and blog posts.
Over the course of the six-month period from July to December 2022, it is anticipated that over 600 unique customers will have had issues. The bulk of the infections are found in Canada, Mexico, Turkey, France, Bangladesh, and Mexico.
In order to carry out the scam, Facebook posts with links to ZIP archives are used to entice users with adult-themed content. After the ZIP archive is extracted, a complex infection process that results in the deployment of the malware is started.
Hence, the malware author can set up a feedback loop whereby the more PCs they can infect, the more Facebook spam they can send, and the more clicks they can produce to infect additional PCs.
The virus is also in charge of running a headless Chrome browser that uses an extension to falsely inflate YouTube video views, in addition to being able to download other modules on the compromised host.
Additionally, the hacker grabs cookies and saves login information from web browsers, checks Facebook profiles, and loads a cryptojacker that mines cryptocurrency without the victim’s knowledge or agreement.
According to Bitdefender, it discovered infrastructure overlaps with a website named upview[.]us that promotes choices to increase Facebook post likes, comments, followers, and video views as well as opportunities to buy YouTube views, likes, and subscribers.
The Romanian company claimed that “S1deload stealer has major privacy concerns for the victim infected with it.” “The malware steals the victim’s saved login information for accounts like email, social networking, and even financial ones. These accounts are accessible to the threat actor, who may also sell them on the dark web.”