A new malware is in the wild that is actively targeting users to steal credentials for various platforms. Identified as CopperStealer, this malware is basically an infostealer, but it can also deliver more payloads.
CopperStealer Malware Active In The Wild
Researchers from Proofpoint have discovered a new infostealing malware active in the wild. Dubbed CopperStealer, the data-stealing malware typically aims at pilfering the login credentials of the users.
The threat actors are distributing this malware via the fake crack or keygen sites. People frequently visit these sites to get a workaround for activating license-based software (in the wrong way). While such cracks or keygens often accompany bundled malware and spyware, this time, a confirmed malware is exploiting this route to spread.
Briefly, the malware exhibits basic infostealing activity that may not be a big threat (apparently). Yet, it can wreak havoc anytime as it bears the functionality to download additional payloads to the target system.
Also, it bears anti-analysis functionality to escape detection by researchers.
As for the target, CopperStealer scans saved passwords in web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, Yandex, and Opera. Through these browsers, it mainly looks for saved passwords for Facebook. Also, it strives to retrieve user access tokens to gather additional data from Facebook and Instagram.
Yet, the target list for CopperStealer doesn’t limit to Facebook and Instagram only. Rather, numerous variants of this malware exist that target other major platforms, such as Google, Apple, Amazon, Bing, Twitter, Tumblr, and PayPal.
For all these platforms, the malware gathers user credentials, and many other details from the browser to hijack victim’s profiles. The threat actors then use these profiles for malvertising campaigns.
Detailed technical analysis of this malware is available in the researcher’s blog post.
Similarities With SilentFade
From the analysis, Proofpoint deduced that CopperStealer bears a notable resemblance with SilentFade in terms of targets and delivery methods.
SilentFade is an infamous Chinese malware that exploited Facebook for running malvertising campaigns for years. Also, the same ecosystem includes other malware like FacebookRobot, Scranos, and StressPaint as well.
CopperStealer campaign isn’t currently active – thanks to the sinkholing activities that disrupted recent campaigns. Yet, the threat for its reappearance at any time continues to exist.
Let us know your thoughts in the comments.