A new information stealing malware has been discovered that can hijack social media accounts and mine cryptocurrency on infected systems. The malware, dubbed S1deload Stealer, is set up to take control of users’ Facebook and YouTube accounts and rent out access to raise view counts and likes shared on the platforms.
S1deload uses adult-themed content via Facebook posts containing links to ZIP archives to lure users into extracting and executing the malware. The infection process utilizes multiple stages of DLL-sideloading into legitimate binaries to execute various payloads on the system. The first payload creates an additional executable, a legitimate binary from Canon, and an associated DLL file and executes it. The second payload acts as a loader to communicate with the C2 and download and execute the next stage payload. This next stage payload acts as the main C2 communication module for the malware, executing commands sent from the C2 server on the system. Finally, an additional payload is downloaded and executed from the C2 server that creates a hidden Chrome browser sideloaded with a malicious extension. This extension sends commands to the browser to boost view counts on specified videos on YouTube. All of these payloads also create entries in the user’s Run Registry key to establish persistence for each step of the infection.
In addition to these steps, the malware captures saved credentials from web browsers, loads a cryptojacker on to the system, and conducts Facebook profile checks. The Facebook credentials are used to spam the malware to the infected user’s friends, thus potentially propagating the malware further.