A new attack involving a previously unknown malware named ‘Album Stealer’ has been spotted by Zscaler, targeting Facebook users.
The attack employs adult images to trick Facebook users into downloading a malicious ZIP archive and essentially infect themselves with information-stealing malware.
The adversaries’ goal is to steal Facebook credentials and take over accounts, particularly Business accounts that have access to ad and marketing campaigns. The threat actors use that access to run malicious campaigns for their own benefit, directing the ad-generated revenue to their bank accounts.
Facebook Attack Chain
The attack begins with the threat actors using fake Facebook profile pages containing adult images of women to lure users into clicking on them. Those profiles contain a link to an archive that supposedly contains an album of more pictures.
Clicking on that link delivers a ZIP archive from Microsoft OneDrive, to evade anti-virus warnings. The archive contains an executable file named Album.exe, a malicious DLL, and a dat file.
Album.exe is in reality a PDF viewer that side-loads the malicious DLL to initiate the malware loading process. The executable also executes a self-extracting archive that contains images of women to serve as a decoy.
Meanwhile, in the background, the malware adds new registry keys to establish persistence on the system and continues the infection chain by loading several additional executables downloaded in each step.
Finally, Album Stealer is loaded onto the system, collecting data from the compromised computer and sending it to the command and control server.