Social networks, which have grown to occupy a significant portion of our lives, have been abused by criminals since their inception. With access to multiple legitimate social media accounts, threat actors have been able to extort significant financial gains, or even manipulate public opinion and change the course of elections. On the everyday level, financially motivated groups have created malvertising and spam campaigns and set up fully automated farms of content-sharing websites to increase revenue or sell and rent compromised accounts to other malicious actors.
This paper documents an active malware distribution campaign that abuses social media by taking over users’ Facebook and YouTube accounts. Once in control of the compromised accounts, the malware uses them to boost view counts on social media. Through each step of the malware infection chain, the malware author heavily relies on DLL sideloading to avoid detection. We named this malware family S1deload stealer.
Each executable chosen by the malware author as sideloading victims share similarities:
- They load .NET DLLs from their directory
- They come from well-known software publishers
- They are digitally signed
During our research of the malware’s infrastructure, we also identified the sales website where the malware author rents out the stolen social media accounts to boost YouTube and Facebook content.