Researchers at Proofpoint have published a report detailing a newly discovered piece of malware that attempts to steal account information about popular service providers, including Google, Facebook, Amazon, and Apple. Not only does the malware can steal account passwords and cookies but can also drop other malware onto the infected device. Called CopperStealer, the malware is being used by threat actors to push other strains of malware through malvertising campaigns.
The malware was discovered on 29 January 2021, when a Twitter user, TheAnalyst shared a malware sample with Proofpoint that triggered their malware detection systems. Following an investigation, the malware was discovered to have password and cookie stealing capabilities along with a downloader that could be used to drop other malware strains onto infected devices. The investigation also uncovered malware samples dating back to July 2019, possibly indicating that the malware has been in development for some time. According to researchers, one sample analyzed showed that the malware targeted Facebook and Instagram advertisers. However, previous samples showed versions capable of targeting users of other major service providers including Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter.
CopperStealer's main functionality, stealing passwords and cookies, is achieved by the malware being capable of harvesting passwords saved in the Google Chrome, Edge, Firefox, Yandex, and Opera web browsers.
This is further supplemented by being able to retrieve the victims' Facebook User Access Token using stolen cookies to collect additional context, including their list of friends, advertisement accounts info, and a list of Facebook pages they can access. Researchers noted that,
“While CopperStealer isn't the most nefarious credential/account stealer in existence, it goes to show that even with basic capabilities, the overall impact can be large. Previous research from Facebook and Bitdefender has exposed a rapidly increasing ecosystem of Chinese-based malware focused on the monetization of compromised social media and other service accounts. Findings from this investigation point towards CopperStealer being another piece of this ever changing ecosystem. CopperStealer’s active development and use of DGA based C2 servers demonstrates operational maturity as well as redundancy. After sinkholing activities helped disrupt CopperStealers current activities, we will continue to monitor the threat landscape to identify and detect future evolutions of this malware.”
While the malware may be deemed to lack sophistication, it is effective and even includes several basic anti-analysis techniques to avoid running within researcher systems. The malware is distributed namely using fake software crack sites. These include keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net. The sites listed advertise themselves as being capable of generating serial keys often used to authenticate legitimate software packages. These generated serial keys are then used to circumvent license restrictions placed on products to prevent pirating of the software. These sites are often used to distribute potentially unwanted programs, like adware, to more dangerous types of malware, including ransomware.
Given that the main distribution method was through these software crack sites, the sites could be taken down using a technique known as sinkholing, or by interstitial warnings. Along with the assistance of Facebook, Cloudflare, and other service providers warnings could be placed on the sites as soon as visitors accessed the site warning that the site is being used for malicious reasons. The effectiveness of the tactic is up for debate, as visitors to the site looking for fake serial numbers may not be concerned with other potential malicious and dangerous activity occurring on the website. For sites that it could be proved were distributing unwanted applications and malware companies could sinkhole the domains, making them inaccessible to visitors. Researchers noted,
“This sinkhole, a method of concurrently limiting the actor’s ability to collect victim data while enabling researchers to gain visibility into victim demographics, provided valuable insight into the malware’s behavior and scope. In the first 24 hours of operation, the sinkhole logged 69,992 HTTP Requests from 5,046 unique IP addresses originating from 159 countries representing 4,655 unique infections. The top five countries based on unique infections were India, Indonesia, Brazil, Pakistan and The Philippines. After approximately 28 hours of operating the sinkhole, the amount of traffic declined sharply. At the same time, it was observed that CopperStealer was no longer being distributed via the keygenninja[.]com website.”
SmokeLoader and SilentFade
In some instances where CopperStealer had completed stealing password and cookie information, the downloader was used to drop SmokeLoader. Typically classified as a backdoor trojan the malware has evolved over the years to incorporate several modules expanding the malware’s functionality. The malware first made an appearance in 2013, and since then has gone on to be considered an entire family of malware with numerous versions and additions to the family. Some sources suggest that the malware was being sold on underground hacking forums as early as 2011, making SmokeLoader a true veteran in a field where new malware strains are discovered frequently. In 2019 researchers discovered a resurgence of the malware, this discovery aligns with Proofpoint's discovery of early CopperStealer samples dating back to the same time.
The resurgence as a result of a new version being released boasted better anti-analysis capabilities. The new version also came with improved anti-hooking capabilities. Hooking is a technique used by anti-virus programs to monitor communications between the operating system and other applications. If communications are deemed to be suspicious they can be traced and if determined to be malicious the anti-virus software can begin to remediate the threat. Anti-hooking tactics then involve measures to prevent security products from intercepting communications. In the instances where SmokelOader was dropped after CopperStealer, the threat actors could use the former to create a backdoor onto the system granting the threat actor almost continual access to the victim’s machine.
Proofpoint researchers noted that CopperStealer shares much in common with another similar information stealer discovered by Facebook researchers called SilentFade. The malware was discovered in late 2018 and was named due to how covertly it could run on Facebook Ads. Similar in distribution method to CopperStealer, SilentFade is bundled with other potentially unwanted programs (PUPs). Researchers stated,
“SilentFade consists of three to four components, with the primary downloader component being included in PUP bundles. The downloader application either downloads a standalone malware component or a Windows service installed as either ‘AdService’ or ‘HNService’. The service is responsible for persistence across reboots and for dropping 32-bit and 64-bit version DLLs (usually as winhttp.dll or winmm.dll) in Chrome’s application directory. This is done for the purpose of DLL hijacking so that the malicious DLL is loaded by Chrome in place of the real winhttp.dll. The DLL proxies all make requests to the real winhttp.dll but makes requests to facebook.com through the Chrome process, evading dynamic behaviour-based anti-malware detection by mimicking innocuous network requests.”
Once the malware is installed it will steal Facebook credentials and cookies from various browser credential stores, including Internet Explorer, Chrome, and other Chromium clones. Support for Firefox was added but only later. Once the credentials were stolen, metadata about the Facebook account (such as payment information and the total amount previously spent on Facebook ads) were retrieved using the Facebook Graph API and sent back to the malware’s command and control servers. This is all done so that SIlentFade can then make use of the victim’s payment method, be that credit card, bank account, or PayPal account to run malicious ads on Facebook.
Both CopperStealer and SilentFade have been determined to be of Chinese origin and are believed to form part of a trend in Chinese malware focused on stealing credentials and abusing certain popular platforms' advertising services. Both malware strains also boast several techniques to improve persistence, avoid detection, and prevent researchers from analyzing the malware. As researchers pointed out detecting web-based account compromise is difficult, with said researchers stating,
“Malware-driven account compromise is challenging for any web-based platform to detect, especially when the malware executes on a previously known clean device, using legitimate session tokens from a previously known clean IP address. In addition, while technologies such as multi-factor authentication provide an additional layer of security (especially against phishing and credential stuffing attacks), malware compromise leads to most users being unaware that session theft bypassed all multi-factor controls, giving them a false sense of security. It is no surprise that malware is shifting away from credential theft to cookie theft for this very reason.”