Blog Post

Ritelink Blog > News > NEWS > Beware: Facebook and YouTube accounts are being hijacked by sneaky new spyware

Beware: Facebook and YouTube accounts are being hijacked by sneaky new spyware

S1deload Stealer uses social media posts to infect unsuspecting users

Getting your Facebook hacked is bad enough as it is but a newly discovered malware campaign is making the rounds online that not only hijacks your Facebook and YouTube accounts but also steals your passwords.

The malware in question has been dubbed S1deload Stealer by researchers at Bitdefender’s Advanced Threat Control team in a new report(opens in new tab) after it was detected by the company’s antivirus engine. In order to avoid detection, it uses DLL sideloading to infect a victim’s PC.

A combination of social engineering and comments on Facebook pages are used to spread S1deload Stealer which is distributed through photo archives with adult themes. If a Facebook user downloads one of these archives and unzips the image folder, they are greeted with a signed executable that uses a valid Western Digital signature and a malicious DLL that contains the final payload according to BleepingComputer.

Although an executable file should be a dead giveaway that something is amiss, so far Bitdefender has detected over 600 unique users whose PCs have been infected with the S1deload Stealer malware.

Creating a feedback loop to infect more PCs

Once installed on a victim’s PC, S1deload Stealer then receives instructions from a command and control (C&C) server operated by the cybercriminals behind this campaign.

According to Bitdefender, the malware can download and run a number of additional components including a headless Chrome web browser. This browser runs in the background and is used to boost the view counts of both YouTube videos and Facebook posts.

However, S1deload Stealer can also deploy a stealer that is capable of decrypting and downloading saved credentials and cookies from a victim’s browser. The malware even deploys a cryptojacker that uses the infected PC to mine for cryptocurrency which can seriously slow down a victim’s system.

When S1deload Stealer does manage to steal a victim’s Facebook account, it then uses the Facebook Graph API to determine the value of the account based on whether or not they are an admin of a page or group, if they pay for ads or if their account is linked to a business manager account.

With a user’s Facebook credentials in hand, S1deload Stealer creates a feedback loop by spamming other accounts in order to infect additional PCs almost like a botnet. From here, its creators earn money by selling services to boost other people’s Facebook or YouTube accounts.

How to stay safe from malware in social media posts 

Whether it’s on Facebook, YouTube, Instagram, Twitter or any other social media site, you need to be careful when clicking on links from unknown sources since you don’t know where they’ll take you. This is especially true when the person who created the post uses a URL shortener.

For this reason, you should always inspect links in your browser before clicking on them. On a computer you can do this by hovering over the link and on mobile you can long press on a link to see where it will take you. Still, it’s best to avoid clicking on links in social media posts when you can.

With this new S1deload Stealer campaign though, the victims accidentally downloaded malware onto their own systems. However, they shouldn’t have run the executable file contained in the archives after unzipping them. As a general rule of thumb, you should never run executables from unknown sources as doing so is an easy way to infect your computer with malware or other viruses. If you have to though, you should ensure that you’re running one of the best antivirus software solutions on your computer.

While Bitdefender has now brought attention to the S1deload Stealer, the feedback loop this malware creates will likely help it continue to spread on social media.

Leave a comment

Your email address will not be published. Required fields are marked *