Stresspaint Trojan steals Facebook login credentials

by Alice Woods - - 2018-05-08

Stresspaint malware steals Facebook login credentials in disguise of Relieve Stress Paint tool

A malware called Stresspaint has been detected in the middle of April 2018 harvesting Facebook users' login credentials. Distributed via hacked aol.net website, the malware managed to infect over 40,000 PCs from April 12 to 16. According to Radware^[1] researchers, StressPaint Trojan affected residents of Vietnam, Russia, Pakistan, Indonesia, Ukraine, and Italy in particular.

According to resources, the info stealer malware is being distributed via hacked aol.net website, and phishing emails that promote an application Relieve Stress Paint.^[2] The app is being distributed bundled with Stresspaint malware, which once executed opens Facebook in the background and starts accumulating login credentials, session cookies, network traffic, and other personally identifiable information.

Amazon – the next target

Stresspaint malware developers do not seem to confine themselves to Facebook. According to malware researchers, the credentials of Amazon users may soon become a target.

Researchers found out that the crooks that manage the widespread of the Relieve Stress Paint tool infected with malware extorting Facebook data are using an open-source Chinese CMS known as Layuicms2.0.^[3] Upon in-depth analysis, it was noticed that the panel not only displays the metrics of the attacks and Facebook data leaks but also contains a section that reports the same data regarding Amazon. Thus, it's expected such, or similar Stresspaint malware attacks can be initiated against Amazon users soon.

The technical side of the Trojan performance

The Stresspaint is an example of a professionally developed info stealer. Within less than four days, it managed to attack more than 45,000 PCs and steal tens of thousands of Facebook login credentials. These numbers are noteworthy, aren't they?

The main reason why hackers experienced such a success most probably is related to accurate preparation of the virus before its release. The group of malware distributors apply filters to attack people that have Facebook accounts with saved passwords or Amazon payment section activated.

If the potential victim conforms to the requirements, the malware is being executed and runs scripts and installs malicious Registry keys that help it remain persistent on the system without being noticed and steal personal data without any obstacles.

Temp\\\\DX.exe
Temp\\\\updata.dll
Desktop\\RelieveStressPaint.lnk
HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Updata
HKCU\\Software\\Classes\\VirtualStore\\MACHINE\\SOFTWARE\\RelieveStressPaint\\guid

These are just a few examples of the changes that the Stresspaint malware initiates. Upon successful unravel, it's practically impossible to detect it on the system as it does not have a negative effect on system's performance.

It can only be found when running a scan with a professional anti-malware program. Thorough system scan should provide a log with Stresspaint.Trojan or Stresspaint.Inforstealer detection, which you should immediately immunize.

The virus leaks Facebook data each time when the Relieve Stress Paint app is enabled

Relieve Stress Paint tool might seem legitimate and useful. However, it's just a simple paint tool, which apparently can cause more damage than good. Upon installation, the tool is downloaded along with a Trojan. Subsequently, the malware creates a Desktop\\RelieveStressPaint.lnk entry on the desktop, which stands for a shortcut to launch the app.

Unfortunately, each time you click on the shortcut and launch the app, it enables the tracking software and accumulating Facebook login credentials,^[4] including username and password. If the Trojan successfully exposes login information, it may connect to the account and steal information, such as the number of Facebook friends, payment method configuration, the activity of the account, and so on.

Facebook accounts may be hacked

Currently, malware researchers did not register any instances of a Facebook hack caused by Relieve Stress Paint malware. However, it is believed that the virus is still in the development phase or early data collection phase.

It is expected that the collected data may be used for blackmailing, espionage, malvertising, monetizing, and similar activities. Not to mention Facebook account hack.^[5] Thus, it's essential to use a professional anti-virus and other security tools. Besides, be careful with the content you are presented online.

About the author

Alice Woods - Likes to teach users about virus prevention

Alice Woods is the News Editor at 2-spyware. She has been sharing her knowledge and research data with 2spyware readers since 2014.

Contact Alice Woods
About the company Esolutions

References

^ https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/. Radware Security Blog.
^ Olivia Morelli. Relieve Stress Paint. How to remove?. 2-Spyware. The largest sources of security and tech-related information.
^ BrotherMa/layuicms2.0. GitHub. A development platform.
^ Rob Pegoraro. Why you should think twice before you 'sign in with Facebook'. USA Today. Local and national news.
^ Tina Sieber . 4 Things to Do Immediately When Your Facebook Account Is Hacked. MakeUseOf. Technology website.

Read in other languages

• Polski
• Deutsch
• Português
• Suomen
• Eestlane