YouTube and Facebook accounts are being hit by dangerous new malware

News
By Sead Fadilpašić
published

Malware rakes up views using victim's accounts

Social app icons on a phone screen
(Image credit: dole777 / Unsplash)

A new malware has been discovered hijacking people’s social media accounts, stealing their saved login credentials, and using their devices to mine cryptocurrencies, experts have warned.

Researchers from Bitdefender’s Advanced Threat Control Team (ATC) found a new strain they named S1deload Stealer that tries to avoid being detected by antivirus programs through heavy use of DLL sideloading.

In the second half of last year, the hackers behind the campaign managed to infect hundreds of endpoints with this new infostealer:

Hundreds of infected devices

"Between July and December 2022, Bitdefender products detected more than 600 unique users infected with this malware," Bitdefender researcher Dávid Ács noted.

To infect the devices, the victims need to download and run the malware themselves. The attackers created multiple archives (.zip files) allegedly holding adult content. Those that download and run that content won’t get what they came for, but will instead get the infostealer, capable of doing a couple of things: 

First, it can download and run a headless Chrome browser that runs in the background and opens different YouTube videos and Facebook posts to rake up views. It can download and run an infostealer that decrypts and exfiltrates login credentials saved in browsers, as well as session cookies. 

Read more

> A nasty new infostealer malware is landing in email inboxes

> This infostealer has a vicious sting for Python developers

> These are the best firewalls right now

If it stumbles upon a Facebook account, it will try and analyze it, to see if it administrates any Facebook pages or groups, if it pays for ads on the platform, or if it’s linked to a business manager account. Obviously, all these things would make that account more valuable. 

Finally, it can download, install, and run, a cryptocurrency miner, mining the BEAM cryptocurrency for the attackers. BEAM describes itself as a “confidential cryptocurrency and DeFi platform.”

"The stealer component we observed in the wild steals the saved credentials from the victim's browser, exfiltrating them to the malware author's server," Ács said. "The malware author uses the newly obtained credentials to spam on social media and infect more machines, creating a feedback loop."

Via: BleepingComputer

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.