Is digital painting and coloring just as relaxing as ‘regular’ painting and coloring? Perhaps it is. But if you want to try it yourself, you’d be better off using Adobe Photoshop or GIMP than installing the malicious ‘Relieve Stress Paint’ app from a link you got through Facebook.
Like lots of people, I have a collection of trendy adult coloring books. It is quite relaxing to sit on the couch, open a coloring page, get out my crayons, and color mindlessly. I also enjoy painting things. I’ve found decorative sculptures that were being thrown out at the home decor store my friend works at, and I’ve painted them with my own designs. It’s quite soothing and satisfying, unlike getting targeted with malware.
Users should already be concerned about how the fun applications they find through Facebook use or abuse their data, in the wake of the Cambridge Analytica scandal. The political marketing firm often got information from Facebook users through novelty quizzes and the like.
‘Relieve Stress Paint’ isn’t an app that’s embedded in Facebook though. Rather, cyberattack targets received links to download the malicious application through Facebook messages or email. The cyber attackers exploited the perceived legitimacy and integrity of Facebook and AOL’s brands to transmit their Trojan.
The hyperlink for the ‘Relieve Stress Paint’ download webpage reads ‘aol.net’ in Unicode characters, which the web browser resolves to ‘xn—80a2a18a.net’ in Punycode. Very clever!
Targets who download and install ‘Relieve Stress Paint’ do indeed get an application that can be used for painting with a UI and features quite similar to Microsoft Paint. What they didn’t know is that in the background, ‘Relieve Stress Paint’ exploits the target’s Facebook account used on the machine in order to acquire sensitive Facebook session cookies, login credentials, and other sensitive Facebook data.
The cyber attackers’ favorite targets have their own Facebook pages, lots of followers, or payment data linked to their Facebook accounts. Ouch!
While ‘Relieve Stress Paint’ is installed on a Windows machine, ‘DX.exe’ remains persistent on the system, and ‘uplink.dll’ is likely the malicious dynamic link library which grabs the target’s sensitive Facebook data.
‘Relieve Stress Paint’ exploits Chrome on Windows. The malware makes copies of the login data and cookie databases that it finds and then stores them in:
The acquired sensitive Facebook account data then gets encrypted and sent to the cyber attackers’ command and control (C2) server. The C2 server’s Chinese language control panel has a section for Facebook data, and another for Amazon data. Security researchers have found the Amazon section to be empty, which suggests that acquiring sensitive Amazon account data was a step in their malicious scheme which hasn’t be executed yet.
Users’ lives could possibly be ruined when a cyber attackers’ command and control program has both Facebook and Amazon data. People are a lot more likely to have credit card data stored in their Amazon accounts. The targets could not only become identity fraud victims but also have a lot of fraudulent charges on their credit cards once the Amazon step of the campaign got executed.
Security researchers have found that at least 35,000 users were victims of the Stresspaint campaign. That’s what they call the ‘Relieve Stress Paint’ Trojan. Top geographic targets include Vietnam, Russia, Pakistan, Indonesia, Ukraine, Italy, Romania, Kazakhstan, Egypt, Estonia, and France. Vietnam alone had at least 2,815 victims.
The Stresspaint Trojan initially evaded antivirus software detection because the malware made copies of sensitive Facebook data and queried those copies rather than trying to access the original files.
‘Relieve Stress Paint’ was originally spotted near the beginning of April 2018, but infections peaked during the second weekend of April, with as many as 10,000 new infections per day. Stresspaint should now be removable with most updated malware removal applications.
A lot of freeware and opensource applications - software you can legally acquire free-of-charge - is perfectly safe for your home PC or mobile device, provided you do your research on the program first and follow basic security measures like backing up your PC prior to installation. But free software can often harbor Trojans, so do use a healthy dash of caution at all times.
Before you’re tempted to download a free app, read up on it first. Do a web search with the name of the application. If the application has a positive reputation outside of the developer’s website then it’s generally a safer bet than one with no reviews or online feedback.
There are a lot of excellent freeware and opensource applications out there such as GIMP. But you’ll notice that GIMP’s developers never try to market their application by sending users unsolicited Facebook messages or emails. Their developers count on maintaining a good free application over time through positive word-of-mouth, opensource code, and years of support.
Even developers of legitimate commercial software who are in the business of making money won’t send people unsolicited Facebook messages in order to market their product.
‘Relieve Stress Paint’ is a Windows Trojan with a UI and functionality very similar to Microsoft Paint. Why not use Microsoft Paint instead if you want to relieve stress through digital painting? It should be an obvious solution, but to the best of my knowledge Microsoft has never marketed MS Paint specifically as a stress relieving tool, and Microsoft would never market one of their applications through unsolicited Facebook messages. Perhaps that was a void that Stresspaint’s cyber attackers exploited.
Will we see further social engineering campaigns that make an inferior Trojan malware version of an easily available legitimate application by finding a novel new marketing angle for it? I hear that a game of digital Solitare is great for stress relief and relaxation. Is ‘Relieve Stress Solitare Cards’ next? ‘Relieve Stress Minesweeper?’ ‘Relieve Stress Bang Your Keyboard Into Notepad?’ Only time will tell.
NOTE: This blog represents the opinions of the author only, and does not represent an official Cylance endorsement of any companies, services or products mentioned herein. Cylance is not paid nor otherwise compensated in any way by any company, service, or product mentioned in these blogs.