S1deload Stealer – Exploring the Economics of Social Network Account Hijacking

Social networks, which have grown to occupy a significant portion of our lives, have been abused by criminals since their inception. With access to multiple legitimate social media accounts, threat actors can extort significant financial gains or even manipulate public opinion and change the course of elections. On the everyday level, financially motivated groups have created malvertising and spam campaigns and set up fully automated farms of content-sharing websites to increase revenue or sell and rent compromised accounts to other malicious actors.

Key Findings

• Bitdefender discovered a new global campaign dubbed S1ideload Stealer that targets Facebook and YouTube accounts.
• S1deload Stealer relies on DLL sideloading techniques to run its malicious components. It uses a legitimate, digitally-signed executable that inadvertently loads malicious code if clicked.
• S1deload Stealer effectively infects systems as sideloading helps get past system defenses. Additionally, the executable leads to an actual image folder to lower user suspicion of malware.
• Once infected, S1deload Stealer steals user credentials, emulates human behavior to artificially boost videos and other content engagement, assesses the value of individual accounts (such as identifying corporate social media admins), mines for BEAM cryptocurrency and propagates the malicious link to the user’s followers.

Protection

Bitdefender products detect S1deload Stealer in all execution stages. We encourage users to never click on EXE files downloaded from untrusted sources. Additionally, users should never ignore alerts from security software.

Indicators of Compromise

An up-to-date, complete list of indicators of compromise is available to  Bitdefender Advanced Threat Intelligence  users. Currently known indicators of compromise can be found in the whitepaper below.

Download the whitepaper