An ongoing malware marketing campaign targets YouTube and Fb customers, infecting their computer systems with a brand new info stealer that may hijack their social media accounts and use their units to mine for cryptocurrency.
Safety researchers with Bitdefender’s Superior Risk Management (ATC) staff found the brand new malware and dubbed it S1deload Stealer as a consequence of its intensive use of DLL sideloading for evading detection.
“Between July and December 2022, Bitdefender merchandise detected greater than 600 distinctive customers contaminated with this malware,” Bitdefender researcher Dávid Ács said.
Victims are tricked into infecting themselves utilizing social engineering and feedback on FaceBook pages that push archives with grownup themes (e.g., AlbumGirlSexy.zip, HDSexyGirl.zip, SexyGirlAlbum.zip, and extra).
If the person downloads one of many linked archives, they’ll as a substitute get an executable signed with a sound Western Digital digital signature and a malicious DLL (WDSync.dll) containing the ultimate payload.
As soon as put in on victims’ units, S1deload Stealer might be instructed by its operators to carry out certainly one of a number of duties after connecting to the command-and-control (C2) server.
As Bitdefender found, it could possibly obtain and run extra parts, together with a headless Chrome internet browser that runs within the background and emulates human habits to artificially enhance view counts on YouTube movies and Fb posts.
On different techniques, it could possibly additionally deploy a stealer that decrypts and exfiltrates saved credentials and cookies from the sufferer’s browser and the Login Information SQLite database or a cryptojacker that may mine BEAM cryptocurrency.
If it manages to steal a Fb account, the malware may even try and estimate its precise worth by leveraging the Fb Graph API to search out out if the sufferer is the admin of a Fb web page or group, if it pays for advertisements, or is linked to a enterprise supervisor account.
“The stealer element we noticed within the wild steals the saved credentials from the sufferer’s browser, exfiltrating them to the malware writer’s server,” Ács added.
“The malware writer makes use of the newly obtained credentials to spam on social media and infect extra machines, making a suggestions loop.”
To keep away from getting contaminated and having your social media accounts hijacked, you need to by no means run executables from unknown sources and all the time maintain your anti-malware software program updated.
Indicators of compromise (IOCs) and YARA guidelines linked to this malware marketing campaign can be found on the finish of Bitdefender’s whitepaper (PDF).
Risk intelligence firm SEKOIA additionally noticed a new information stealer strain known as Stealc and marketed on the darkish internet and hacking boards as that includes an easy-to-use administration panel and intensive data-stealing capabilities.
Not like S1deload Stealer, the Stealc malware is distributed by way of pretend cracked software program, a extremely widespread tactic additionally used to push different information stealers like Vidar, Redline, Raccoon, and Mars.