This malware targets Facebook log-in details, infects over 45,000 in just days

StressPaint malware is "developed professionally" and could be be harvesting accounts for anything from credential selling and identity theft, to malvertising and propaganda campaigns, warn researchers.
Written by Danny Palmer, Senior Writer

Users who download a painting software advertised as a tool for stress relief might soon find themselves stressed out because the program is actually a front for malware which steals their Facebook credentials and payment information.

'StressPaint' first appeared a few days ago and at the time of writing has infected over 45,000 Facebook users. The attacks appear to specifically target users who operate Facebook pages and have configured a payment method into the account.

Uncovered by Radware, the malware has quickly spread around the world with a high infection rate, indicating what researchers say "indicates this malware was developed professionally".

It's also suggested that the attackers could go after Amazon users in a future campaign, given it has a dedicated section in a control panel used in the campaign which has been analysed by researchers.

An infection campaign is carried out via phishing emails and users are socially engineered to believe they're visiting a real website - AOL is used as a hook in many of the attacks. However, the website they're being driven to is in fact a front for the malicious activity.

The site promotes software called 'Relieve Stress Paint' and urges the user to download it for free. If they do download and run the file, a window opens to show a basic painting program to the user, to give the impression that nothing suspicious happening while the malware runs in the background.


StressPaint looks innocent, but it hides malicious intent.

Image: Radware

However, once 'Relieve Stress Paint' is launched, the malware immediately runs and drops files onto the system and it will look to steal information from that moment - then subsequently each time the computer is restarted.

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

StressPaint steals information by copying the content of Chrome browser cookies and login date files. If saved Facebook credentials are found, they're sent to a C2 server.

Once the stolen credentials are validated, additional information is collected on the compromised account, including the number of friends, whether the account manages a page or not, or if a payment method is connected to the account.

"Security tools, like anti-virus or endpoint detection and response, always look for suspicious active processes on the system and general credential stealing methods like key logging or hooking," Adi Raff, security research team leader at Radware told ZDNet.

"We believe that the process of the malware is only active on the system for less than a minute on specific occasions (like first run, computer restart and stress pain tool rerun) and that the data theft is done from a copy of Chrome files (cookies/login data) which helps the malware stay undetected".

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

Currently, the attacks only appear to be collecting data, but researchers suggest the stolen information could be used for profit in a number of ways. They include selling the credentials on underground forums, extorting victims by threatening to reveal personal information, espionage, profit from stolen payment information and identity theft.

However, it's suggested the fact the attackers are looking for accounts with pages and users with large amounts of friends means those behind the campaign - who've not been identified - are playing a long game.

"With the stolen credentials, access to web pages and payment details, the group can launch malicious advertisement campaigns, whether to make profit or spread more malwares. They can use small amounts from each user without raising suspicion and collect a critical mass to launch any activity," warn researchers, who say the same applies to propaganda.

"With the same information, instead of advertising a product or a service, they can run a campaign to promote their agenda and reveal people/personal identities."

Radware has disclosed the research to Facebook. "We are investigating these malware findings and we are taking steps to help protect and notify those who are impacted," Pete Voss, Facebook communications manager told ZDNet.

In order to avoid falling victim to a StressPaint attack, Radware urges users to be careful what they click.

"To stay protected, people need to make sure that they are downloading applications from legitimate sites and always double check the site in the browser before downloading," said Raff.


Editorial standards