Bitdefender is calling the malware S1deload Stealer for its use of DLL side-loading techniques to get past security defenses and execute its malicious components. "Once infected, S1deload Stealer steals user credentials, emulates human behavior to artificially boost videos and other content engagement, assesses the value of individual accounts (such as identifying corporate social media admins), mines for BEAM cryptocurrency, and propagates the malicious link to the user's followers," Bitdefender researcher Dávid ÁCS said.
The goal of the campaign is to take control of the users' Facebook and YouTube accounts and rent out access to raise view counts and likes for videos and posts shared on the platforms. More than 600 unique users are estimated to have been impacted during the six-month period between July and December 2022. A majority of the infections are located in Romania, Turkey, France, Bangladesh, Mexico, Peru, and Canada.
To pull off the scheme, users are lured with adult-themed content via Facebook posts that contain links to ZIP archives, which, when extracted, triggers an intricate infection sequence leading to the deployment of the malware.