Recently, a security firm released a detailed report about a new thief in town, a new account-stealing malware, that spreads via fake software crack sites. The operators of this malware are using it to target the account credentials of several global giants, such as Google and Apple.
In January, a Twitter user named TheAnalyst shared a sample of the malware with Proofpoint researchers to investigate further. The investigation revealed several interesting aspects about the ongoing malicious activity of CopperStealer.
- It is spreading via fake software crack sites and known malware distribution platforms, such as keygenninja[.]com, startcrack[.]com, piratewares[.]com, and crackheap[.]net.
- The stealer has several versions that target major IT giants and service providers, including Apple, Amazon, Bing, Google, Tumblr, Twitter, Facebook, and PayPal.
- It works by collecting passwords stored in web browsers such as Chrome, Firefox, Yandex, Opera, and Edge.
- Furthermore, it can steal victims' Facebook User Access Tokens via stolen cookies to gather additional contexts, such as a list of friends, advertisement accounts details, and a list of accessible Facebook pages.
- Moreover, several other malware, such as SmokeLoader backdoor, are dropped via CopperStealer's downloader module.
Connection with SilentFade malware
Proofpoint researchers have put CopperStealer within the same class of malware as StressPaint, SilentFade, FacebookRobot, and Scranos.
- Recent reports indicate that CopperStealer has a similar targeting and delivery mechanism of a known malware dubbed SilentFade.
- Earlier back in 2019, Facebook had associated the SilentFade malware with Hong Kong-based ILikeAD Media International Company Ltd.
- This malware was used to steal browser cookies and serve malicious ads via compromised Facebook accounts.
Account credentials of major service providers hold a good financial value, as these can be sold at a handsome price on underground forums. In addition, these credentials could be used to gain unauthorized access inside the targeted network. Therefore, it is important to stay protected, by limiting unnecessary access to accounts and implementing MFA.