Researchers disrupted a newly documented Chinese-based malware called CopperStealer that, since significant countermeasures started in late January, infected up to 5,000 individual hosts per day, stealing credentials of users on major platforms including Facebook, Instagram, Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter.
Sherrod DeGrippo, senior director of threat research at Proofpoint, said they were first notified of the CopperStealer malware by Twitter user TheAnalyst. She said CopperStealer, which Proofpoint fully describes in a blog post, exhibits many of the same targeting and delivery methods as SilentFade, a Chinese-sourced malware family first reported by Facebook in 2019.
DeGrippo said that to counteract CopperStealer, Proofpoint researchers reverse-engineered the malware. They then did the same to the domain generation algorithm (DGA) used in the malware, so they could preempt the attackers from registering domains used by the malware at least one day before the attackers could register them. They then went to the domain registrars that manage those domains and in most cases the registrars agreed to take them down.
“These were the domains the malware was using to give instructions to harvest back credentials,” DeGrippo said. “Credentials make the world go round when it comes to the current threat landscape and this shows the lengths that threat actors will take to steal valuable credential data. CopperStealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks. These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers.”
CopperStealer represents an extremely capable malware, offering its users a wide variety of options to exfiltrate sensitive data and drop additional malware, said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. Morgan said its target of choice, which features several different social media providers, likely represents efforts by the malware operator to takeover targeted accounts that threat actors can use for further malicious purposes.
Morgan confirmed that threat actors from the People's Republic of China (PRC) are attributed with creating CopperStealer. Morgan said these threat actors have previously used compromised social media accounts to spread misinformation and influence operations on PRC events of strategic importance. Examples include the 2019 Hong Kong protests, which described the events as “riots funded by the CIA.”
“It’s realistically possible that there are similar motivations behind the CopperStealer campaign, using the accounts to spread misinformation,” Morgan said. “The actions taken by Proofpoint and service providers will result in a significant short-term (one-to-three-month) disruption to this campaign; however, replacing infrastructure should be relatively simple for the threat actors. Delivery methods for CopperStealer rely on users interacting with torrent sites offering free versions of legitimate software, which are attractive to avoid costly licensing fees. Users should avoid interacting and downloading software from any unofficial sites, whether on a corporate or personal website.”
Joseph Carson, chief security scientist and advisory CISO at Thycotic, added that CopperStealer has been known to steal passwords from well-known browsers, and it’s a reminder that storing sensitive data within the browser has become a major security risk, especially if employees become victims of this malware.
“This could lead to the criminals gaining access to your organization,” Carson said. “While storing non-sensitive data in a browser is okay, it’s important that organizations move beyond password managers, such as those in browsers. They should move to privileged access security that adds more protection and additional security controls. It’s important to help move passwords into the background and that they are not the only security control protecting your business.”
Proofpoint posted a Python3 script on the blog that security teams can use to see if any of their machines had visited the domains infected by the malware. If so, DeGrippo said companies are advised to perform incident response on those machines.