A new attack involving a previously unknown malware named ‘Album Stealer’ has been spotted by Zscaler, targeting Facebook users.
The attack employs adult images to trick Facebook users into downloading a malicious ZIP archive and essentially infect themselves with information-stealing malware.
The adversaries’ goal is to steal Facebook credentials and take over accounts, particularly Business accounts that have access to ad and marketing campaigns. The threat actors use that access to run malicious campaigns for their own benefit, directing the ad-generated revenue to their bank accounts.
Facebook Attack Chain
The attack begins with the threat actors using fake Facebook profile pages containing adult images of women to lure users into clicking on them. Those profiles contain a link to an archive that supposedly contains an album of more pictures.
Clicking on that link delivers a ZIP archive from Microsoft OneDrive, to evade anti-virus warnings. The archive contains an executable file named Album.exe, a malicious DLL, and a dat file.
Album.exe is in reality a PDF viewer that side-loads the malicious DLL to initiate the malware loading process. The executable also executes a self-extracting archive that contains images of women to serve as a decoy.
Meanwhile, in the background, the malware adds new registry keys to establish persistence on the system and continues the infection chain by loading several additional executables downloaded in each step.
Finally, Album Stealer is loaded onto the system, collecting data from the compromised computer and sending it to the command and control server.
Album Stealer Targets
As an info-stealing malware, Album Stealer targets valuable user data that like account credentials, cookies and login data stored on web browsers like Chrome, Opera, Brave, Edge, and Firefox.
Its differentiating factor compared to other commonly used info-stealers is that instead of searching for static paths in the breached computer, it searches for file names.
This makes its scanning slower, but has the advantage of giving it more specific targeting, limiting the amount of false positives and unnecessary data uploads to the C2.
Moreover, Album Stealer focuses more on Facebook accounts, and if it extracts credentials for the social media platform, it uses the graph API to obtain additional information relating to business and ad management FB accounts.
The Album Stealer attack is a passive attack that waits for victims to make the first move themselves. However, it’s still a significant threat due to its potential to draw large amounts of victims on its hooks.
Facebook users are advised to avoid downloading archives from links listed on the platform, especially when these come from people they don’t know.