Posted on April 23, 2018 at 8:04 AM
Radware detected a malware disguised as a paint program. It gathers Facebook data and credentials, and it is believed to be used for ransom and identity theft.
The threat analysts at Radware first detected the threat named ‘Stresspaint’ on April 12. While the researchers do not yet know how it is distributed, they suspect that the malware is spread via phishing emails and Facebook posts and messages. The malware is disguised as a simple paint program promising to relieve stress, and is referred to as ‘Relieve Stress Paint’. So far, the number of infected users reaches 40,000.
The malicious message sends its targets to a site disguised through Unicode as ‘aol.net,’ leading victims to believe that they are visiting an America Online site. However, the true address is ‘xn--80a2a18a.net.’ Through the site, the malware is downloaded. It appears as a simple drawing tool, where the brush changes color and size with each stroke.
The program also runs the malicious process ‘Stresspaint’ in the background, which copies cookies and other browser data by creating a duplicate of the browser profile. It checks Facebook profiles as well, and copies friends lists, information on linked pages, and also saves information on payment methods.
Finally, the program looks up a specific Instagram profile, which those as Radware believe is for receiving further instructions.
The malware creates a foothold for itself in the form of an executable and registry keys, and researchers state that the malware runs every time the computer is restarted and when the user clicks on the desktop shortcut for the ‘paint’ program.
Malware’s control panel
The group behind the malware used an open-source content management system named Layuicms 2.0, which the threat analysts could access. The panel showed the collected information, as well as metrics data.
Alarmingly, the researchers have discovered that the control panel also had a section dedicated to Amazon, which could mean that the group’s next target is the e-commerce giant. Additionally, the control panel also had a section for another variant of the malware.
The researchers believe that the group is still in the data-collection phase, and so their intentions are not yet clear. However, those at Radware hypothesize that they may intend to ransom, blackmail, conduct espionage, steal the victims’ identities, or sell the data on.
Facebook has issued a statement saying that they are investigating the issue. Meanwhile, they are urging users to double-check the sender’s email and not to install untrusted third-party programs. They are also offering free antivirus scans in case of infection.