“Relieve Stress Paint” is available through a domain that uses Unicode representation that will show up as aol.net and picc,com on search engines and in emails, reports Ars Technica.
Researchers with the security firm Radware said in a post published Wednesday morning they suspect the malware is being promoted in spam emails.
What is Relieve Stress Paint Trojan?
Once the Relieve Stress Paint program is opened by an unsuspecting user, it masquerades as a simple painting program, actually changing colors and line size with each user click. But behind the scenes, it is opening up your Facebook account, stealing data from Chrome that includes credentials and cookies.
So every time a user restarts their computer or open the “stress paint” program, as dubbed by Radware, it copies Facebook credentials. According to Radware’s blog, “the rapid distribution and high infection rate indicates this malware was developed professionally. The group is specifically interested in users who own Facebook pages and that contain stored payment methods.”
Even though the application or website are not yet visible by search engines, specific strings in the site led Radware to a site on Google called ‘aol.net.’ This is not really ‘aol.net’ but rather a Unicode representation of aol.net and its true address is ‘xn--80a2a18a.net.’
So, what happens to the stolen data?
Your stolen data is sent to a command-and-control server. Researchers managed to access this command server’s interface and found that over 40,000 computers had been compromised in the last few days because of this malware. In the process, tens of thousands of Facebook accounts have been compromised.
The interface also compiled any payment details tied to an account, the number of friends the account had, and whether the account was used to manage a page. This is done by accessing several predefined Facebook URLs which return this information.
Radware also found a section on the server interface already set up for viewing credentials for victims’ Amazon accounts. This led Radware to suspect “the attackers hadn’t yet enabled code that would actually compromise those accounts. Radware also detected another variant of the malware and saw an indication of it in the control panel.”
The Possible Impact of this malware
The attackers are using a “stealth” program that is not picked up by antivirus programs. The program’s authors decided to leverage “a specific data theft” method to stay hidden on the system as long as they can. No general credential thefts are done, and only cookies and saved passwords from the original cookies/login data files are copied. This all takes less than one minute.
Besides the obvious impacts that come from stealing personal information, like identity theft, extortion, cleaning out a bank account and espionage, there are a couple other issues to be considered.
Because the criminal group is targeting accounts with pages, and members with large networks, Radware suggests the information could be used to launch malicious advertisement campaigns, whether to make a profit or spread more malware.
They can also use the stolen information to create propaganda campaigns – and instead of advertising a product or a service, they can run a campaign to promote their agenda and reveal people/personal identities.
Radware recommends individuals and organizations should update their current password and only download applications from trusted sources.
