Stresspaint Malware Campaign Targeting Facebook Credentials

14
4944

On April 12, 2018, Radware’s threat research group detected malicious activity via internal feeds of a group collecting user credentials and payment methods from Facebook users across the globe. The group manipulates victims via phishing emails to download a painting application called ‘Relieve Stress Paint.’ While benign in appearance, it runs a malware dubbed ‘Stresspaint’ in the background. Within a few days, the group had infected over 40,000 users, stealing tens of thousands Facebook user credentials/cookies. This rapid distribution and high infection rate indicates this malware was developed professionally. The group is specifically interested in users who own Facebook pages and that contain stored payment methods. We suspect that the group’s next target is Amazon as they have a dedicated section for it in the attack control panel. Radware will continue to analyze the campaign and monitor the group’s activity. Prior to publication of this alert, Radware has detected another variant of the malware and saw indication of this new version in the control panel.

Figure 1 & 2: Breakdown of malware by infections and geographies

Infection Process

Radware suspects the infection campaign is via phishing emails or directly on Facebook itself (Radware has not yet received one). Recipients are led to believe they are going to legitimate sites (i.e. AOL) to download a legitimate application, however the site is really a Unicode domain of the AOL site.

Figure 3: The phony website

The site advertises an application called “Relieve Stress Paint” and contains a download link.

While the application or website are not yet visible by search engines, specific strings in the site led Radware to a site on Google called ‘aol.net.’ This is not really ‘aol.net’ but rather a Unicode representation of aol.net and its true address is ‘xn--80a2a18a.net.’

Figure 4: The malicious website as indexed by Google

[You might also like: Why Cyber-Security Is Critical to The Loyalty of Your Most Valued Customers]

The Malware

Once the file is downloaded and executed, a window is opened showing the “legitimate program” to the user. This is a paint program that changes colors and line size for each click.

Figure 5: Screenshot of paint program

In the background, the malware immediately starts running and dropping files on the system.

  • Temp\\DX.exe – the main module of the malware that remains persistent on the system
  • Temp\\updata.dll – possibly used later on for credential/cookie stealing purposes
  • Desktop\RelieveStressPaint.lnk – a desktop link to run the original downloaded executable. Supports the legitimacy of the program.
  • AppData\Local\Google\Chrome\User Data\Default\Login Data11111
  • AppData\Local\Google\Chrome\User Data\Default\Cookies11111

Both are copies of the original files that are stored on the chrome folder and are used for cookies/saved password stealing and are immediately deleted

Next, a number of registry keys are also created/modified.

  • HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Updata – with the value of DX.exe [parameter]. We have seen two different parameters which may indicate two different infection campaigns that the author wants to track. This is also represented in the control panel.
  • HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\RelieveStressPaint\guid- with the value of user GUID. This is saved in the following format [5 random letters/numbers]HHMMSSYYYYMMDD.

Afterwards, a connectivity check is done to a specific Instagram profile. Radware believes this is done to receive instructions or updates (this matter is still under investigation).

Facebook Data Theft

Information is stolen when the malware is run for the first time, if the user runs the application again (using the .lnk on his desktop), and every restart of the computer. It is done by copying the content of Chrome browser cookies and login data files to a new location and querying the data from there. Once saved login credentials (username + password) or Facebook cookies are found, they are sent encrypted to the C2 in the following format:

{\”fid\”:\”%s\”,\”fpwd\”:\”%s\”,\”cookies\”:\”%s\”,%s}

Figure 6: Exfiltration of compromised user credentials to the C&C server

On other requests, general information on the infected machine is sent in the following format:

{\”guid\”:\”%s\”,\”os\”:\”%s\”,\”agent\”:\”%s\”,\”Auto\”:%s,\”flag\”:%s,\”data\”:%s,\”seller\”:\”%s\”}

Once the credentials are validated and access is granted, additional data is collected, such as number of friends, whether the account manages a page or not, and if the payment method is configured for the account. This is done by accessing several predefined Facebook URLs which return this information.  All requests are accomplished using the hard coded User agent:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Stealth

The malware authors decided to leverage a specific data theft method to stay hidden on the system as long as they can.

  • No general credential stealing is done which might raise some flags by security vendors
  • The cookies and saved password theft is only accomplished from querying copies of the original cookies/login data files
  • The process that is in charge of the credential theft resides on the system for less than a minute each time

Since they are interested only in Facebook access at this stage, they get it either from the first infection saved login/cookies or when the computer is restarted.

Control Panel

The operators of this botnet decided to use an open source Chinese CMS called Layuicms2.0. They have customized it to show information of the botnet outbreak such as stolen credentials and cookies, but also other metrics and the ability to export Facebook data. The panel also features a section for Amazon, but it is not yet functional. Radware believes that this implies that the group’s next target will be Amazon.

Figure 7: Control panel (translated from Chinese by Google Chrome)
Figure 8: Users’ data

Possible Impact

Since the group is at the data collection phase, Radware can only speculate what the operators of this botnet do with the stolen credentials.

  • Monetization – simply selling stolen credentials to malicious actors and cyber-criminals. Online identities have been traded over the dark web for some time.
  • Ransom – extort victims by threating them to reveal personal information like photos etc.
  • Espionage – take advantage of the possessed credentials to track specific people’s activity, network and conversations
  • Profit – use the stolen credentials and payment information to shop on eCommerce sites and services
  • Identity Theft – reuse the credentials to log-in into other accounts or services via Facebook.

However, the fact that this group is looking specifically for accounts with pages, and members with large networks, lead us to consider a couple of additional options.

  • Malvertising – with the stolen credentials, access to web pages and payment details, the group can launch malicious advertisement campaigns, whether to make profit or spread more malwares. They can use small amounts from each user without raising suspicion and collect a critical mass to launch any activity.
  • Propaganda – with the same information, instead of advertising a product or a service, they can run a campaign to promote their agenda and reveal people/personal identities

[You might also like: Can Security Be Efficient Without Expertise or Intelligence?]

Steps to Protect From Data Harvesting Malwares

  • Detect new zero-day malware using cutting-edge machine learning algorithms
  • Block new threats by integrating with existing protection mechanisms and defense layers
  • Report on malware infection attempts in your network
  • Audit defenses against new exploits and see where you are vulnerable

As this malware rapidly expands, the group will certainly continue to try to find new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations to update their current password and only download applications from trusted sources. Radware’s Malware Research Group will keep monitoring and analyzing new threats to provide protection to its customers.

Disclosure

We have brought our research findings to the Facebook information security team, including all the stolen credentials of the accounts. Facebook is investigating this operation and has provided the following statement.

 

We encourage people to check the mails they receive for trusted domains. Facebookmail.com is a common domain that Facebook uses to send notifications when we detect an attempt to log in to your account or change a password. If you’re unsure if an email you received was from Facebook, you can check its legitimacy by visiting facebook.com/settings to view a list of security-related emails that have been recently sent. We are investigating these malware findings and we are taking steps to help protect and notify those who are impacted.

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.” – Pete Voss, Facebook communications manager

Radware also reached out to the domain registrar to cease and decease this activity but as of time of publication received no response.

To download the alert, click here: Radware Threat Alert: Stresspaint

Read “2017-2018 Global Application & Network Security Report” to learn more.

Download Now

14 COMMENTS

  1. Trustworthy Indonesian Gambling Agent Betberry

    Welcome to the reliable Betberry gambling agent. Betberry
    is actually a trusted and finest gambling online site that serves the account creation regarding every Indonesian Betting Online
    game lover.

    Betberry’s reliable gambling agent is delighted to service balance renewal transactions or commonly recognized as deposits and withdrawals of funds.
    We in this article also provide a variety of
    the particular most complete and the majority of popular online gambling games for teenagers to adults,
    what games are obtainable at Betberry?

    Sportsbook
    Sportsbook or far better known as soccer gambling is a type of sports betting game
    that provides a variant of the game. Generally,
    soccer fanatics prefer this game class to gamble on on-line soccer
    gambling or football sports.

    In this category not just provides sports wagering games, however you
    can also place bets in a variety of other sporting activities, such as
    basketball, badminton, horse racing, MotoGP F1, and many
    other video games that you could play enjoy.

    If you are interested and want to play gambling games on the best Betberry gambling agent site, you can choose one of the following games providers:

    Bola tangkas: One of the recognized bookie gambling companies within the Philippines that is typically the largest soccer
    gambling video games provider in Asia. In addition to Betberry has partnered
    together with Sbobet so you will get the Grade-A market odds.

    Ibcbet / Maxbet: Maxbet, which was formerly known as Ibcbet, is typically the second
    greatest soccer wagering company after sbobet plus is very much inside demand by football
    fans.
    Casino
    Casino is a new card gambling game category that mostly uses enjoying
    cards. In the category of this game enough to invite the
    desire to continue playing once again (addict), because
    it demands a special strategy inside playing it, so a lot of people
    are competing to apply the most appropriate technique in defeating their oppositions.

    In the category of online casino games are also divided into many games which can be
    played, starting coming from the most known people, namely online gambling baccarat cards,
    online roulette, online dice / sicbo, blackjack, dragon tiger and other folks.

    Online casino games are also split into 2 parts, namely live casino
    and online casino games. The difference is usually that live casino at redbet is displayed live on video streaming which will be followed by beautiful dealers in addition to, while casino games
    usually are not where or known as virtual games.

    Players may select from several providers that provide online casinos, like the following:

    Sbobet casino and 338a: 338a or Sgd777 casino has indeed recently been said to be typically the biggest bookie on the
    planet not only providing online sports gambling games, but
    furthermore casinos.
    Maxbet Casino and Ibcbet Casino: This next company is
    a competitor of Sbobet, the online game is no less fascinating and
    the technology program is
    Casino Joker123: This specific company is partnering along with E
    Bet, one of the programmers of online betting techniques based in philine, and this is in great demand
    by simply players.
    Cockfighting
    Cockfighting is a gambling game in typically the complaint of two birds in a circle or market.

    Generally chicken is rough until one loses or even draws, or both loss of life draws.
    This game is very practical as you can play it online anywhere without
    the need to go directly to the competitors arena. And you will also observe live matches through the available video streaming.
    Typically the following cockfighting providers are available
    at Betberry.

    S1288 / S128: Provider This cockfighting organization is already very well known and also suitable
    for chicken gamblers, this company is based in Cambodia, so
    that opened a branch in the Philippines as nicely.

    Shoot the seafood
    Shoot fish is a sport where you will end up being in a virtual pool with other players to be able to shoot fish.

    This seafood shoot uses real cash which is converted as the bullet in shooting seafood.

    Players can play in one floating provider just, namely in Joker Gaming

    Joker123 / Joker Video gaming: This company already utilizes very
    modern technology. Games where you can find in arcade mall entertainment, you can enjoy online at
    Betberry Gambling Agent which can be played on Android and
    IOS platforms for smartphones or tablets.

  2. Not only provides soccer gambling and sports activities
    betting games, Betberry will be also one of typically the most trusted
    Joker123 agents in Indonesia that is chosen by countless wagering
    fans every day. Using the Trusted Joker123 Agent,
    you are able to enjoy hundreds of distinctive games from the casino,
    slot and game groups that are currently very popular with players
    on earth, namely shooting fish.

    You must know that Joker123 or Joker Gaming is one
    associated with the biggest online online bdtting
    shops in Asia, which has served millions of players together with international standard games in addition to
    operates under official licenses. On the site joker123 also
    provides various varieties of casino gambling and slot games, as properly as fish
    shooting or even fish hunter games that will are their mainstay online games.

    Not only a full game, Joker123 also comes with attractive
    features for example the following:

    Live Casino Joker123
    With regard to those of you who want to feel the new sensation in actively playing casino gambling,
    with the official Joker123 agent Betberry you are able
    to play gambling live! What this means is you will end up being playing in a real-time casino gambling system and served by beautiful sellers that you can interact with.
    Not only the fun of playing casino gambling, yet here you also obtain the atmosphere like playing in a gambling house directly in Vegas!

    Joker123 Online Slots
    Many men and women choose joker123 slot gambling for the reason that game is
    straightforward and doesn’t require a lots of effort like
    casino video games or soccer betting. But a game won’t
    become fun if this doesn’t consist of challenges, right?
    At the Trusted Joker123 Agent a person can challenge yourself
    to be able to reach the biggest intensifying jackpot the location where the number of jackpots will carry on and enhance each and every time until the gamer can get
    it.
    Take the Joker123 fish
    This one is actually a fairly new game but has already attracted the
    attention of millions of gambling players around
    the world. Feel the fascinating sensation of playing taking pictures fish with abundant prizes.
    In this game a person will not play only as this game can be played by up in order to 8
    players at the same time. Demonstrate your skills and achieve maximum victory in the game Fish Hunter Joker123.

  3. Alternate Links to Official Internet gambling Sites

    Now in a good all-sophisticated era, everyone
    could access the web very easily. Until now many free online games that can be enjoyed by everyone,
    one example is online gambling online games. With the
    appointment of gambling that used to be able to
    be only on property, now an online system has turned it very effortless for many gambling gamers to channel their
    interests in the world regarding online gambling.

    But before an individual want to play gambling that is now online system.
    You’ve still got to learn the particular characteristics of trusted online gambling sites.
    Why will be that? Because in the online world there are usually still online gambling sites that will cheat.

    Meaning of Alternative Hyperlinks
    An alternative link will be a link provided simply by a trusted online gambling broker to prevent blocking whenever you want to enter or access their internet site.

    How to Get Option Hyperlinks
    When you previously know the meaning of different links, we will provide some steps to obtain alternative
    links:
    1. An individual can look at the primary online gambling sites.
    Usually these people will provide alternative hyperlink facts with their site.

    2. The second step will be to be able to directly contact Livechat, you can directly ask the customer service on duty
    3. You can see an alternative link to be able to your trusted online wagering site
    through the list of on-line gambling sites below.

  4. Some people however pay a lot cash at one time to raise the likelihood of winning.
    The system where betting cash is thru your bank is protected to work with, and the transaction is
    at all times between your account and the Ladbrokes. Easy system
    described in steps. Many are easy folks just struggling to get by.

    This guide supplies all the data it is advisable get into
    the sport. But the thing is that to increase your possibilities of winning, you need to position a bet day-after-day.
    As an alternative, you’ll be able to get all the data you need from that very same site.
    As long as the owner of the Bitcoin looks after it correctly utilizing a high-safety wallet and two-factor authentication,
    it is going to be extraordinarily tough for anyone else to get access to their funds.
    At any point, nevertheless, the bookie can jump in and make
    changes to the lines that can be found to his gamers if knows he shall be getting heavy one sided action.

    In case you are one of those people who doesnt like cats, Im sorry to listen to that.
    For the above example, it would seem like -7.5 (-110).

    Different players can legally purchase Mega Millions Lottery tickets on-line via the lottery
    agent you see talked about above. As an example, MEGA Hundreds of thousands is a multi-state lottery and it operates in eleven states.

    As an illustration, you would not want to choose simply any race horse in hopes of successful a
    guess. 5. Bet on sports by placing your wager.
    Once you click on on the sport of your selecting make sure to bookmark the page so you’ll all the time have probably
    the most current and up to date sports activities betting odds at
    your disposal. In this technique, you might choose a low
    quantity from the given set akin to 1-50 like 1. Some successful numbers have two consecutive numerals, although not on a regular basis.
    After which with the time you saved do something extra
    productive than you’ll have done appearing like a poor particular
    person.

  5. I’m not positive the place you’re getting your information, but good topic.
    I must spend a while studying much more or working out more.
    Thank you for magnificent info I used to be looking for this information for my mission.

  6. Watch the Best Movie of All Time
    What movie do you want to watch today? Sniper films may be required upon your
    list. This will be the most fun shooting struggle, where
    every sniper action is always interesting to be able to watch.

  7. Я сегодня серфил онлайн более трех часов, но я так и не нашел
    ни одной интересной статьи, подобной вашей.

    Это приятно удивило меня. Я полагаю, если все
    владельцы тематических страниц и блоггеры делали бы хороший контент, как вы, то
    полезных материалов появлялось бы намного больше.

LEAVE A REPLY

Please enter your comment!
Please enter your name here