Newly Discovered ‘CopperStealer’ Malware Running Unchecked Since 2019

Saturday, March 27th, 2021 | , ,

A previously undocumented password and cookie stealer has been silently compromising account of popular Internet services like Facebook, Apple, Amazon, and Google since 2019 and then using those accounts for cybercriminal activity. Named CopperStealer, the malware acts similarly to the previously discovered, China-backed malware family SiilentFade, according to Proofpoint researchers.

CopperStealer is in the same class not only as SilentFade but also other malware such as StressPaint, FacebookRobot and Scranos. Researchers have deemed Stressfade in particular responsible for compromising accounts of social-media giants like Facebook and then using them to engage in cybercriminal activity, such as running deceptive ads, to the tune of $4 million in damages, researchers noted.

Proofpoint researchers discovered CopperStealer after they observed suspicious websites advertised as “KeyGen” or “Crack” sites–including keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net–hosting samples delivering multiple malware families that included CopperStealer.

The sites purported to offer “cracks,” “keygen” and “serials” to circumvent licensing restrictions of legitimate software, researchers noted. What they provided instead were Potentially Unwanted Programs/Applications (PUP/PUA) or malicious executables capable of installing and downloading additional payloads, they said.

In its attacks, CopperStealer retrieves a download configuration from the c2 server that extracts an archive named “xldl.dat,” which appears to be a legitimate download manager called Xunlei from Xunlei Networking Technologies Ltd. that was previously linked to malware in 2013. CopperStealer then uses an API exposed from the Xunlei application in order to download the configuration for the follow-up binary, researchers wrote.

One of the payloads researchers discovered CopperStealer to deliver most recently is Smokeloader, a modular backdoor. However, historically the malware has used a variety of payloads delivered from a handful of URLs, researchers said.

Read more about how ProofPoint researchers worked to disrupt the CopperStealer malware by visiting here.

Share this: