Relieve Stress Paint Hides Malicious Stresspaint Trojan to Steal Facebook Credentials

Here we go again. Facebook is on our radar once more, and we are dealing with a privacy breach issue again. This time, however, it is the malicious Stresspaint Trojan that is responsible for the mess, not the social networking giant itself. Just a month ago, the news broke out about how Cambridge Analytica harvested data from 50 million Facebook accounts. Lo and behold, a different party was silently harvesting data in the shadows of the scandal. The attack was uncovered by Radware’s threat research group, who reported that the attackers managed to affect 40,000 users just within the first few days. The good news is that the current path via which the infection is spread is pretty straightforward, and even the least experienced users can avoid it.

stresspaint

Stresspaint Trojan is Distributed Using Digital Painting Software

Radware experts suggest that Windows users are usually exposed to the malicious Stresspaint Trojan using spam emails that urge them to download software named “Relieve Stress Paint.” It is also possible that the misleading message could be sent to them directly via Facebook Messenger because, after all, the Trojan is set up to extract Facebook-related information. The criminals behind the threat appear to employ a Unicode domain phishing attack to expose targeted victims to a website that presents the installer of the Trojan. The user might believe they are on a legitimate website (e.g., AOL), but, of course, that is just an illusion. If the user is tricked into downloading the free program, they are unlikely to realize that anything is wrong because an application window is loaded, and it does allow the user to paint or draw, as advertised. Of course, the tool is pretty useless, and the user is likely to delete it pretty quickly. The bad news is that that is not enough to remove Stresspaint Trojan.

How Does Stresspaint Trojan Steal Facebook Credentials?

Relieve Stress Paint distracts the user and disguises the real activity, which includes downloading and running malware files. Besides creating .exe and .dll files, Stresspaint Trojan also creates files that copy the cookies and passwords recorded in the Google Chrome web browser. The copies replace the original files that are removed right away. The infection also adds entries to the Windows Registry. Using all malicious components, the Trojan is capable of stealing sensitive information every time the user restarts the computer and runs the bogus application by copying the data stored within Google Chrome web cookies and login information files. The recorded information is encrypted and sent to a remote C&C server for analysis. When the attackers gain access, they are set to collect additional information, which appears to be focused on Facebook pages. It seems that Stresspaint Trojan creators are after accounts who manage Facebook pages, and they are interested in whether or not payment methods are used.

What Is The Purpose Of Stresspaint Trojan?

The infection is still being observed and analyzed, and it is possible that researchers will never be able to understand it completely because malware like this is very dynamic, and the attackers behind it can change strategies and even goals all the time. Right now, there is a suspicion that the infection could start stealing Amazon credentials in the near future, but that is not a certainty. It is possible that the creator of Stresspaint Trojan is stealing data so that it could be sold to malicious third parties. If that were the case, it really is impossible to know how private information would be exploited. Since the stolen Facebook credentials are often used to record payment information on Facebook pages, it is also possible that cyber attackers are looking for a financial gain. With access to these pages, cyber criminals could also reach out more targets using corrupted links and advertisements. In general, it is not yet known why the Trojan was built, but it is obvious that it was not built with good intentions in mind.

How to Protect Yourself Against Stresspaint Trojan

According to the latest information, at least 45,000 users let Stresspaint Trojan in by downloading the Relieve Stress Paint application. This number is likely to grow in the next weeks, especially in Vietnam, Russia, and Pakistan, which are the countries most affected by the infection at this time. Needless to say, Windows users can avoid this infection by avoiding its installer, which, of course, could be modified and could be distributed using new methods. Therefore, all users need to be careful about what they install and the sources they install the software from. Employing anti-malware software can be extremely helpful tool. If a malicious installer finds its way in, a strong anti-malware program should detect and delete it before anything bad happens.

References

Palmer, D. April 19, 2018. This malware targets Facebook log-in details, infects over 45,000 in jus days. ZDNet.
Radware. April 18, 2018. Stresspaint Malware Targeting Facebook Credentials. Radware.