Stay away if you see this in Facebook posts: 600 people just fell victim!

The malware mentioned above has been named S1deload Stealer by researchers at the “Bitdefender Advanced Threat Control Team” in a new report, after the company’s anti-virus engine discovered it.

Worth mentioning, S1deload Stealer takes advantage of links attached to social media posts to infect gullible users.

Previously, to avoid easy detection, S1deload Stealer used DLL SideLoading (an attack technique in which a fake DLL file can be loaded into the application’s memory leading to unintended code execution) to infect the victim’s desktop (PC).

Attack method of S1deload Stealer

Hackers used a combination of “Social Engineering” attacks (a trick to manipulate human psychology and behavior to steal personal information, access or valuable data) and comments. on Facebook to spread the S1deload Stealer. This malware is distributed through “adult” themed photo archives.

If a Facebook user downloads one of these archives and unzips the image folder, they will see an executable file duly signed by “Western Digital” (a company that designs, manufactures, and develops known data storage device). However, with that will be a malicious DLL file.

While the executable is not a “gift of death” that signals something is amiss, Bitdefender has so far detected more than 600 users whose PCs were infected with the S1deload Stealer malware in a method like this: above.

Once installed on the victim’s PC, S1deload Stealer will receive instructions from a command and control (C&C) server operated by the cybercriminals behind the operation.

According to Bitdefender, once downloaded, the malware can run several additional components, including the headless Chrome browser (a program that emulates a browser but has no user interface). This browser runs in the background and is used to increase views of YouTube videos, as well as Facebook posts.

However, S1deload Stealer can also deploy a stealer capable of decrypting, as well as downloading saved credentials and cookies from the victim’s browser. The malware even deploys a cryptojacker (an attacker runs a cryptocurrency mining software on hardware), severely slowing down the victim’s computer system.

When S1deload Stealer successfully steals a victim’s Facebook account, it will use the Facebook Graph API (the way to load data in and get data out of Facebook’s social graph) to determine the value of the victim’s account. see if the victim is an admin of a site or a group, has paid for advertising, is the account linked to a business management account, etc.

With the user’s Facebook credentials in hand, S1deload Stealer creates a “feedback loop” by spamming other accounts to infect other PCs.

What to do to ensure safety?

Whether on Facebook, YouTube, Instagram, Twitter or any other social networking site, you need to be careful when clicking on links from unknown sources, as you never know where they will take you. It is even more important to be careful if the post creator uses a URL shortener.

Also for this reason, you should always check links in your browser before clicking on them. On a computer, you can do that by pointing at the link, and on a mobile phone, you can press and hold the link to preview where it will take you. However, it is still best to avoid clicking on links in social media posts if possible.

Although Bitdefender has detected and noticed S1deload Stealer, the feedback loop this malware creates will likely help it continue to spread on social media.