A new information stealing malware has been discovered that can hijack social media accounts and mine cryptocurrency on infected systems. The malware, dubbed S1deload Stealer, is set up to take control of users’ Facebook and YouTube accounts and rent out access to raise view counts and likes shared on the platforms.
S1deload uses adult-themed content via Facebook posts containing links to ZIP archives to lure users into extracting and executing the malware. The infection process utilizes multiple stages of DLL-sideloading into legitimate binaries to execute various payloads on the system. The first payload creates an additional executable, a legitimate binary from Canon, and an associated DLL file and executes it. The second payload acts as a loader to communicate with the C2 and download and execute the next stage payload. This next stage payload acts as the main C2 communication module for the malware, executing commands sent from the C2 server on the system. Finally, an additional payload is downloaded and executed from the C2 server that creates a hidden Chrome browser sideloaded with a malicious extension. This extension sends commands to the browser to boost view counts on specified videos on YouTube. All of these payloads also create entries in the user’s Run Registry key to establish persistence for each step of the infection.
In addition to these steps, the malware captures saved credentials from web browsers, loads a cryptojacker on to the system, and conducts Facebook profile checks. The Facebook credentials are used to spam the malware to the infected user’s friends, thus potentially propagating the malware further.
Social media sites like Facebook are common vectors for threat actors to spread malware. Due to this, it is highly recommended to avoid downloading files from social media sites, particularly in cases where the source is unknown or untrusted. Even from known sources, it is recommended to carefully vet any links or files that are shared, as the source could be compromised. It is also recommended to maintain good endpoint security controls on all devices in an organization, particularly ones used by end users to browse the Internet. This can not only help prevent such malware from infecting a device in the first place, but it can also help detect any malware that does slip through. The infection process that S1deload uses contains many techniques that can be detected and alerted upon. Legitimate and signed binaries executing from abnormal file locations, unknown processes making outbound network connections following the pattern of C2 beaconing, and multiple abnormal Run Registry keys being created in quick succession are all behaviors that would be considered suspicious. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.