A new malware has been discovered hijacking people’s social media accounts, stealing their saved login credentials, and using their devices to mine cryptocurrencies, experts have warned.
Researchers from Bitdefender’s Advanced Threat Control Team (ATC) found a new strain they named S1deload Stealer that tries to avoid being detected by antivirus programs through heavy use of DLL sideloading.
In the second half of last year, the hackers behind the campaign managed to infect hundreds of endpoints (opens in new tab) with this new infostealer:
Hundreds of infected devices
“Between July and December 2022, Bitdefender products detected more than 600 unique users infected with this malware,” Bitdefender researcher Dávid Ács noted.
To infect the devices, the victims need to download and run the malware themselves. The attackers created multiple archives (.zip files) allegedly holding adult content. Those that download and run that content won’t get what they came for, but will instead get the infostealer, capable of doing a couple of things:
First, it can download and run a headless Chrome browser that runs in the background and opens different YouTube videos and Facebook posts to rake up views. It can download and run an infostealer that decrypts and exfiltrates login credentials saved in browsers, as well as session cookies.
If it stumbles upon a Facebook account, it will try and analyze it, to see if it administrates any Facebook pages or groups, if it pays for ads on the platform, or if it’s linked to a business manager account. Obviously, all these things would make that account more valuable.
Finally, it can download, install, and run, a cryptocurrency miner, mining the BEAM cryptocurrency for the attackers. BEAM describes itself as a “confidential cryptocurrency and DeFi platform.”
“The stealer component we observed in the wild steals the saved credentials from the victim’s browser, exfiltrating them to the malware author’s server,” Ács said. “The malware author uses the newly obtained credentials to spam on social media and infect more machines, creating a feedback loop.”
Via: BleepingComputer (opens in new tab)
