Thousands of Facebook users, looking to engage in some stress-free activity, were infected with malware by a stress relief paint app called “Relieve Stress Paint”. The Stresspaint malware first appeared in April 2018 and has already infected over 40,000 Facebook users across the globe.
Targets of the malware received a link to the “Relieve Stress Paint” either via Facebook messages or phishing emails. Targets are redirected to a website designed to mislead them into believing that they are visiting a legitimate AOL site. In reality, however, the site is a Unicode domain of the AOL site. The site advertises the “Relieve Stress Paint” app and comes with a download link.
Once downloaded, the app displays an actual paint program that changes size and colour with every click. However, in the background, the app runs the Stresspaint malware which collects Facebook user credentials and cookies, as well as Google Chrome login data and cookies. The malware steals data the first time it runs as well as every time the app is rerun or the target’s computer is restarted. The malware sends any saved login credentials or Facebook cookies to the C2 server.
“Once the credentials are validated and access is granted, additional data is collected, such as number of friends, whether the account manages a page or not, and if the payment method is configured for the account,” Radware security researchers, who discovered the malware, said in a blog.
The malware authors specifically targeted Facebook users who have their own pages, as well as Facebook pages that have payment methods stored. In order to evade detection, the malware authors only employ specific data stealing methods, which included no general collection of user credentials. It also stole cookies and credentials only by querying copies of the original login data and cookies. The credential theft process only resides on the infected device for less than a minute each time.
The malware operators used an open-source Chinese CMS called Layuicms2.0. The control panel features a section for Amazon data. However, this is not yet functional. Radware security researchers believe that the attackers may target Amazon users in future.
Security researchers have speculated that the data stolen by the attackers may be sold in the dark web to make a quick buck, ransom or extort victims by threatening to reveal their private information, monitor the activities of targets for espionage purposes or perpetuate identity theft. Radware researchers also suspect that the stolen data may be used by the attackers to distribute specific propaganda or for malvertising.
Radware said it has alerted Facebook’s security team and sent them their findings. The social media giant is currently investigating the matter.
“We encourage people to check the mails they receive for trusted domains. Facebookmail.com is a common domain that Facebook uses to send notifications when we detect an attempt to log in to your account or change a password, Facebook communications manager Pete Voss, said in a statement. “If you’re unsure if an email you received was from Facebook, you can check its legitimacy by visiting facebook.com/settings to view a list of security-related emails that have been recently sent. We are investigating these malware findings and we are taking steps to help protect and notify those who are impacted.
“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.”