A malware that until now has gone undocumented has been quietly hijacking online accounts of advertisers and users of Facebook, Apple, Amazon, Google and other web giants since July 2019 and then using them for nefarious activity, researchers have found.
Dubbed CopperStealer, the malware acts similarly to previously discovered, China-backed malware family SilentFade, according to a report from Proofpoint researchers Brandon Murphy, Dennis Schwarz, Jack Mott and the Proofpoint Threat Research Team published online this week.
“Our investigation uncovered an actively developed password and cookie stealer with a downloader function, capable of delivering additional malware after performing stealer activity,” they wrote.
CopperStealer is in the same class not only as SilentFade—the creation of which Facebook attributed to Hong Kong-based ILikeAD Media International Company Ltd–but also other malware such as StressPaint, FacebookRobot and Scranos. Researchers have deemed Stressfade in particular responsible for compromising accounts of social-media giants like Facebook and then using them to engage in cybercriminal activity, such as running deceptive ads, to the tune of $4 million in damages, researchers noted.
“Previous research from Facebook and Bitdefender has exposed a rapidly increasing ecosystem of Chinese-based malware focused on the monetization of compromised social media and other service accounts,” they wrote. “Findings from this investigation point towards CopperStealer being another piece of this everchanging ecosystem.”
Specifically, researchers analyzed a sample of the malware targeting Facebook and Instagram business and advertiser accounts. However, they also identified additional versions of CopperStealer that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter, they said.
Proofpoint researchers discovered CopperStealer after they observed suspicious websites advertised as “KeyGen” or “Crack” sites–including keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net–hosting samples delivering multiple malware families that included CopperStealer.
The sites purported to offer “cracks,” “keygen” and “serials” to circumvent licensing restrictions of legitimate software, researchers noted. What they provided instead were Potentially Unwanted Programs/Applications (PUP/PUA) or malicious executables capable of installing and downloading additional payloads, they said.
Proofpoint researchers worked with Facebook, Cloudflare and other service providers to disrupt and intercept CopperStealer so they could learn its ways, they said. This activity included Cloudflare “placing a warning interstitial page in front of the malicious domains and establishing a sinkhole for two of the malicious domains before they could be registered by the threat actor,” researchers wrote. The sinkhole limited threat actors’ ability to collect victim data while providing insight for researchers into victim demographics as well as the malware’s behavior and scope.
That researchers found was that although CopperStealer is not very sophisticated and has only “basic capabilities,” it can pack a punch. In the first 24 hours of operation, the sinkhole logged 69,992 HTTP Requests from 5,046 unique IP addresses originating from 159 countries and representing 4,655 unique infections, they found. The top five countries impacted by the malware based on unique infections were India, Indonesia, Brazil, Pakistan and The Philippines, they said.
In its attacks, CopperStealer retrieves a download configuration from the c2 server that extracts an archive named “xldl.dat,” which appears to be a legitimate download manager called Xunlei from Xunlei Networking Technologies Ltd. that was previously linked to malware in 2013. CopperStealer then uses an API exposed from the Xunlei application in order to download the configuration for the follow-up binary, researchers wrote.
One of the payloads researchers discovered CopperStealer to deliver most recently is Smokeloader, a modular backdoor. However, historically the malware has used a variety of payloads delivered from a handful of URLs, researchers said.
Proofpoint researchers will continue to help disrupt CopperStealer’s current activities as well as monitor the threat landscape to identify and detect future evolutions of the malware, they said.