The credential-stealing malware was found in keygen and Cracks-related websites to circumvent licensing restrictions to legit software.
The IT security researchers at Proofpoint researchers have discovered a new malware strain that has widespread credential-stealing capabilities.
Aptly dubbed CopperStealer; this new strain can steal user credentials from biggies like Facebook, Amazon, Google, and Apple apart from other mainstream online platforms.
“Our investigation uncovered an actively developed password and cookie stealer with a downloader function, capable of delivering additional malware after performing stealer activity,” researchers wrote.
CopperStealer Credential Stealing Capabilities
It is basically a password and cooking stealer containing a download feature that lets its operators deliver additional payloads to infected devices. This malware is currently in active development. The earliest samples of this malware were discovered in July 2019.
While investigating, Proofpoint researchers observed a sample targeting advertisers and business accounts on Facebook and Instagram. However, the researchers also identified new versions of CopperStealer that targeted PayPal, Bing, Twitter, and Tumblr.
The browsers searched by CopperStealer for saved passwords include Chrome, Edge, Yandex, Opera, and Firefox.
Suspicious KeyGen and Crack Sites Discovered
Proofpoint researchers reported that CopperStealer was identified after they found suspicious websites advertised as KeyGen or Crack sites. They checked out many different hosting samples, including crackheap[.]net, startcrack[.]com, keygenninja[.]com, and piratewares[.]com.
These aforementioned websites, according to researchers were delivering malware families, one of which was CopperStealer. The sites promised to offer Serials, Keygen, and Cracks to circumvent licensing restrictions to legit software. Instead, they provided Potentially Unwanted Programs (PUP)/Applications and malicious executables that could install and download many more payloads.
CopperStealer Has Pretty Basic Capabilities
Researchers believe that CopperStealer isn’t a very sophisticated malware because its capabilities are very basic. But, it can be a big threat. In the first 24 hours of its operation, the sinkhole logged more than 69,990 HTTP requests from around 5,046 unique IP addresses that originated from 159 countries.
Hence, this represents 4,655 unique infections. The most impacted countries based on unique infection rates include Pakistan, India, Indonesia, The Philippines, and Brazil.
Compromised Accounts Running Malvertising Campaign
The threat actors aren’t just using the malware strain to hijack new accounts but using compromised accounts to run malicious ads and invade the devices with malvertising campaigns.
Proofpoint collaborated with Facebook and Cloudflare in its investigation to evaluate the malware’s disruptive capabilities. According to Proofpoint’s blog post, Cloudflare placed a warning interstitial page on the malicious domains and developed a sinkhole for two sites before they got registered by the threat actor.
CopperStealer Shares Sharp Similarities with SilentFade
Proofpoint states that the targeting and delivery method used by CopperStealer is very much similar to the Chinese malware family SilentFade. Facebook first reported it in 2019.
SilentFade caused around $4m in damages back then, and Proofpoint research revealed that CopperStealer falls within the same class of malware as Scranos, StressPaint, SilentFade, and FacebookRobot, but has remained undocumented yet, said researchers Brandon Murphy, Dennis Schwarz, Jack Mott, and Proofpoint Threat Research Team.
The researchers believe that CopperStealer is a piece of this ‘everchanging ecosystem.’
“Previous research from Facebook and Bitdefender has exposed a rapidly increasing ecosystem of Chinese-based malware focused on the monetization of compromised social media and other service accounts. Findings from this investigation point towards CopperStealer being another piece of this everchanging ecosystem.”