Stresspaint Malware

Researchers at Radware discovered a trojan inside the free Windows application “Relieve Stress Paint.” Dubbed “Stresspaint,” the malware is distributed via Facebook and email spam messages directing users to аоӏ[.]net, a website domain impersonating the real aol[.]net by using Unicode characters. When converted to punycode, the website domain actually spells out 80a2a18a[.]net. If a user downloads the application from this site, they receive a legitimate drawing tool; however, the app also runs malicious files in the background, allowing the malware to set a Windows registry key that executes a .exe file every time the device boots to maintain persistence. The malware collects details on the user’s Facebook account, Chrome login data and session cookies, and their Globally Unique Identifier (GUI), and sends this information to the threat actor’s C2 server. The NJCCIC recommends users review the BleepingComputer article, verify the URL of websites they visit to ensure their legitimacy, avoid downloading applications and other software from third-party sites, and run an up-to-date antivirus solution on all devices.