Malware that collects information is a common occurrence in the world of cybercrime. The Album Stealer is a new threatening tool from this category that targets users seeking adult content on Facebook. The threat is spread through ill-minded campaigns and can be used to collect sensitive data from victims' computers. It works by collecting information, such as usernames, passwords, credit card numbers and other personal data from the infected machine. Once collected, this data is then sent to a remote server controlled by the attacker. Information and technical details about the Album Stealer were revealed in a report by security researchers.
The Threatening Capabilities of the Album Stealer
The name of the threat is based on the lure technique it utilizes to attract and trick unsuspecting victims - the Album Stealer masquerades as a photo album containing decoy adult images. Meanwhile, the malware performs various harmful actions in the background of the system.
The Album Stealer utilizes side-loading techniques to execute corrupted DLLs and avoid detection. It collects cookies and stored credentials from Web browsers on the victim's machine, as well as information from Facebook Ads Manager, Facebook Business accounts and Facebook API graph pages. More specifically, from these sources, the Album Stealer attempts to extract victims' account IDs, names, creation times, verification statuses, permitted roles, extended credits, billed amounts, billing periods and more. In addition, the stealer can harvest sensitive details from a range of different browsers - Chrome, Firefox, Edge, Opera and Brave.
To mask several of its basic strings and data, the Album Stealer employs obfuscation through the ConcurrentDictionary class. Once it has collected all of the necessary information from an infected system, it sends it to a command and control server. The threat group responsible for launching these attacks is believed to be located in Vietnam.
Album Stealer's Infection Chain
The Album Stealer attacks use social engineering tactics that begin with the creation of fake Facebook profile pages containing adult images of women. These profiles are designed to entice victims into accessing a link to download an album containing the promised images. However, once clicked, the link will either redirect victims to a corrupted zip archive carrying malware payloads. The zip file is either hosted on Microsoft OneDrive or a compromised website carrying such unsafe files. By downloading and opening the archive, victims unknowingly expose their systems to malware and other damaging content.