Proofpoint researchers report previously undocumented malware distributed via fake software crack sites targets the users of major service providers to steal their accounts including Google, Amazon, Facebook, and Apple.
The operators of the malware, dubbed by Proofpoint researchers as CopperStealer, use compromised accounts to run malvertising campaigns and deliver additional malware. The malware is tagged as a password and cookie stealer with a download feature and allows the attackers to deliver additional payloads to infected devices.
“While we analyzed a sample that targets Facebook and Instagram business and advertiser accounts, we also identified additional versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter,” Proofpoint reported yesterday.
CopperStealer tries to steal passwords saved in the victim’s web browsers, such as Google Chrome, Edge, Firefox, Yandex, and Opera. It also steals user cookies to retrieve the victims’ Facebook User Access Token. This allows the attackers to collect additional context, including the victim’s list of friends, ad accounts, and a list of their Facebook pages.
The second stage malware dropped later includes various malicious payloads downloaded from several URLs, one of them is the modular Smokeloader backdoor.
Image: Proofpoint – Cooperstealer Facebook and Instagram requests
Attackers distribute CopperStealer both on fake software crack sites and popular malware distribution platforms such as keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net.
Proofpoint worked with Cloudflare and other service providers to set up interstitials for these domains to warn visitors of their malicious nature, although they didn’t always work according to BleepingComputer’s tests).
Two of the sites were sinkholed by CLoudflare after discovering they delivered malware and Potentially Unwanted Programs/Applications (PUP/PUA) software.
Sinkholing is a technique that involves redirecting data flow in networks; security professionals often use it for analyzing malicious traffic and mitigating attacks.
“In the first 24 hours of operation, the sinkhole logged 69,992 HTTP Requests from 5,046 unique IP addresses originating from 159 countries representing 4,655 unique infections,” Proofpoint shared.
CopperStealer operators are trying to get their hands on big service provider logins such as social media and search engine accounts to spread additional malware and perform other attacks. Also, they can sell these credentials on the dark web, for instance.
Researchers advise that users turn on two-factor authentication as an added layer of protection against such account theft attempts.