Hackers Use S1deload Stealer to Target Facebook, YouTube Users

Written by

Security researchers have discovered a new global campaign relying on an infostealer targeting Facebook and YouTube accounts.

Dubbed "S1ideload Stealer" by Bitdefender, the new malicious software employs DLL sideloading techniques to run its malicious components.

"It uses a legitimate, digitally-signed executable that inadvertently loads malicious code if clicked," wrote Bitdefender security researcher Dávid ÁCS in an advisory published on Wednesday. "S1deload Stealer effectively infects systems as sideloading helps get past system defenses."

Further, the executable also relies on a real image folder to lower user suspicion of malware.

After the initial infection, S1deload Stealer can obtain user credentials, as well as imitate human behavior to boost engagement on videos and other content artificially.

It can also reportedly assess the system value of individual accounts, mine for BEAM cryptocurrency and propagate the malicious link to the user's followers.

"While this may seem like a personal credentials leak, some of the credentials stolen by such attacks end up being corporate email credentials that are then being used for BEC attacks," explained Coro co-founder Dror Liwer.

"As users use the same device for both personal and work purposes, the line between personal and corporate credentials hasn't been blurred, it has evaporated," he added. 

More generally, Roger Grimes, data-driven defense evangelist at KnowBe4, explained that malware like S1deload Stealer will always find ways around malware mitigations.

"All we do is play a long-term, losing game of Whack-a-Mole by trying to go after and defeat individual threats when we should be focusing on the root causes of successful exploitation," Grimes told Infosecurity in an email.

"This and most malware can be prevented by aggressively training yourself and users in how to spot and defeat social engineering attacks," Grimes added. 

More information about S1deload Stealer is available in a recent white paper by the Bitdefender team.

The analysis comes weeks after Symantec researchers warned system defenders against a separate infostealer called Graphiron and targeting Ukraine.

Image credit: I AM NIKOM / Shutterstock.com

What’s hot on Infosecurity Magazine?