Attackers Abuse SM Platforms to Deliver S1deload Stealer

Hijack of SM platforms

• Attackers are pushing adult-themed archives in the comment section of social media platforms and blending them with social engineering tactics to trick users.
• These archives contain an executable signed with a valid Western Digital digital signature and a malicious DLL embedded with the final payload.
• Once installed on victims' devices, S1deload Stealer operators can instruct it to perform several tasks after connecting to the C2 server.

Abusing stolen credentials

• After stealing valid credentials of a victim’s Facebook account, the malware uses the Facebook Graph API to determine whether the victim is the admin of a Facebook page or group, pays for ads, or is linked to a business manager account.
• The attackers use the newly obtained credentials to create a feedback loop by spamming on social media and infecting more machines, almost like a botnet. 
• They can earn money by selling services to boost other people’s Facebook or YouTube accounts.

Malware functionalities

• S1deload Stealer is capable of downloading and running additional components, including a headless Chrome web browser. The browser is used to artificially boost view counts on both YouTube videos and Facebook posts by emulating human behavior.
• The malware can also deploy a stealer or a cryptominer on other systems. While the stealer can decrypt and download saved credentials and cookies from a victim’s browser, the cryptominer uses the infected PC to mine for BEAM cryptocurrency.

Stay safe