Cybersecurity researchers discovered a new malware making rounds online via fake software sites that targeted popular service providers like Facebook, Google, Instagram, Amazon, and Apple. The undocumented malware, dubbed CopperStealer, is a specially crafted credentials and cookies stealer with a downloader that installs additional malicious payloads on targeted browsers.
Possible Links to Chinese Hackers
According to an investigation from ProofPoint, CopperStealer operates similar to SilentFade malware, which is linked to Chinese hackers that targeted Facebook’s ad platform between late 2018 and February 2019. “Proofpoint believes CopperStealer to be a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot, and Scranos,” Proofpoint said.
How CopperStealer Spreads
It was found that threat actors behind the CopperStealer malware campaign are leveraging compromised accounts to run malicious ads and deliver additional malware on targeted sources.
The researchers identified certain suspicious websites, advertised as KeyGen, Crack, keygenninja, piratewares, startcrack, and crackheap, which hosted CopperStealer malware samples. All these sites have advertised themselves as software crack services to evade licensing restrictions and ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run malicious exploits to install additional malware payloads.
Proofpoint’s researchers stated that CopperStealer malware can find and send saved browser passwords. The multiple browsers searched by malware operators to get Facebook saved credentials are:
- Chrome
- Edge
- Yandex
- Opera
- Firefox
Once downloaded, CopperStealer sends the exfiltrated data to the C2 server via a POST request to several targeted URIs. The exfiltrated data is then stored in the info key and is encrypted in the C2 Traffic encryption section.
“In addition to the saved browser passwords, the malware uses stored cookies to retrieve a User Access Token from Facebook. Once the User Access Token is gathered, the malware requests several API endpoints for Facebook and Instagram to gather additional context, including a list of friends, any advertisement accounts configured for the user, and a list of pages the user has been granted access to,” Proofpoint explained.
Malware Analysis
The CopperStealer malware used various basic anti-analysis techniques to avoid running within researcher systems. These include:
- IsDebuggerPresent() check
- GetSystemDefaultLCID() == 0x804 (Chinese (Simplified, PRC) zh-CN) check
- Window/class enumeration looking for common analysis tools:
- TCPViewClass
- TStdHttpAnalyzerForm
- HTTP Debugger
- Telerik Fiddler
- ASExplorer
- Charles
- Burp Suite
- Device enumeration looking for indicators of virtualization
- VMware
- virtual
- vbox
“While CopperStealer isn’t the most nefarious credential/account stealer in existence, it goes to show that even with basic capabilities, the overall impact can be large. Findings from this investigation point towards CopperStealer being another piece of this ever-changing ecosystem. CopperStealer’s active development and use of DGA based C2 servers demonstrate operational maturity as well as redundancy,” Proofpoint added.
