Since 2019, a previously unknown login and cookie stealer has been hacking passwords at major tech firms such as Facebook, Apple, Amazon, and Google, and then exploiting them for cybercrime. Researchers also discovered that a virus that has gone unnoticed until now has been secretly hijacking online profiles of marketers and customers of Facebook, Apple, Amazon, Google, and other web giants since July 2019 and exploiting them for nefarious operation.
According to a paper published online this week by Proofpoint researchers Brandon Murphy, Dennis Schwarz, Jack Mott, and the Proofpoint Threat Analysis Team, the malware, called CopperStealer, behaves similarly to the previously found, China-backed malware family SilentFade. They wrote, “Our investigation uncovered an aggressively built password and cookie stealer with a downloader feature, capable of distributing additional malware after stealing data.”
CopperStealer is in the same class as SilentFade, which Facebook attributes to ILikeAD Media International Company Ltd of Hong Kong, as well as other malware including StressPaint, FacebookRobot, and Scranos. Researchers have blamed Stressfade in particular for hacking Facebook profiles and then using them to partake in cybercriminal activities, such as running misleading advertising, resulting in $4 million in damages, according to researchers. “Previous Facebook and Bitdefender analysis has uncovered an increasingly growing network of Chinese-based malware focusing on monetizing hacked social media and other service accounts,” they wrote. “The findings of this inquiry point to CopperStealer being a part of this ever-changing ecosystem,” says the researcher.
Researchers looked at a sample of malware that targeted Facebook and Instagram companies and advertiser accounts in particular. They did find additional CopperStealer models that threaten other big service providers, such as Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter, they added. CopperStealer was discovered by Proofpoint researchers after they discovered samples delivering several malware families, including CopperStealer, on dubious websites branded as “KeyGen” or “Crack” sites, such as keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net.
According to researchers, the pages appeared to offer “cracks,” “keygen,” and “serials” to get around legal software licensing constraints. Instead, they said, they gave them Potentially Unwanted Programs/Applications (PUP/PUA) or malicious executables that could run and download more payloads.
Researchers from Proofpoint collaborated with Facebook, Cloudflare, and other service providers to interrupt and intercept CopperStealer so they could learn its tricks, according to the company. Researchers wrote that Cloudflare “placed an alert interstitial page in front of the malicious domains and created a sinkhole for two of the malicious domains before the threat actor could file them.” The sinkhole hindered threat actors’ ability to gather victim information while supplying researchers with information on victim profiles, malware actions, and scope.
CopperStealer, the researchers learned, is not very advanced and just has “basic skills,” but it packs a punch. The sinkhole logged 69,992 HTTP Requests from 5,046 unique IP addresses originating from 159 countries in the first 24 hours of service, representing 4,655 unique infections, they discovered. According to them, India, Indonesia, Brazil, Pakistan, and the Philippines were the top five countries affected by the malware in terms of specific infections. CopperStealer also gets a download setup from the c2 registry and downloads an archive called “xldl.dat,” which seems to be a legal download manager called Xunlei from Xunlei Networking Technologies Ltd., which was previously connected to malware in 2013. CopperStealer then installs the configuration for the follow-up binary using an API exposed by the Xunlei program, according to the researchers.
Smokeloader, a modular backdoor, is one of the most recent payloads found by researchers to be delivered by CopperStealer. According to experts, the malware has previously used a range of payloads sent from a small number of URLs. CopperStealer’s existing operations will be disrupted, and Proofpoint researchers will continue to track the threat environment to recognize and detect possible evolutions of the malware, they added.