CopperStealer is a new Chinese-based malware that has infected up to 5,000 hosts each day since it was first documented in late January, 2021. It has stolen the credentials of users from many major platforms, including the following:
- Amazon
- Apple
- Bing
- PayPal
- Tumblr
Twitter user TheAnalyst reported CopperStealer to Proofpoint on January 29, 2021, according to Sherrod DeGrippo, senior director of threat research at Proofpoint. A March 17, 2021 blog post describes CopperStealer in detail, but it uses many of the targeting and delivery methods as SilentFade. Facebook originally reported this family of Chinese-based malware in 2019.
Overview
CopperStealer is highly capable and offers its users a wide variety of options for exfiltrating data and infecting systems with additional malware. Its preferred targets include several social media providers, indicating its likely purpose is to take control of specific accounts that attackers can use for malicious purposes in the future.
Analysts have attributed the creation of CopperStealer to actors in the People’s Republic of China (PRC). The same actors have previously compromised social media accounts and used them to spread misinformation on strategically important events in the PRC. For example, they described the 2019 Hong Kong protests as “riots funded by the CIA.” The spread of misinformation is also the most likely purpose of CopperStealer.
Function
CopperStealer relies on the interaction of users with torrent sites to deliver itself to its intended targets. These sites primarily offer free versions of copyrighted material, including films, music and software. However, analysts advise against interacting with torrent sites due to their high risk of malware infection.
CopperStealer can exfiltrate passwords from major web browsers, illustrating the dangers of storing sensitive information on a browser. This is especially true when the victim is an employee of a major company, which could allow CopperStealer to obtain the personal data of many customers. Storing non-sensitive data on a browser poses a low level of risk, but users should manage their passwords in a more secure environment than a browser. Password managers should therefore not be the only security control protecting an organization’s sensitive information.
CopperStealer also uses domains that provide it with instructions on how to harvest credentials. Actors are willing to go to great lengths to obtain credentials due to their value in the current security landscape. CopperStealer is primarily targeting the social media accounts of major providers, so these users should start using two-factor authentication (TFA) if they haven’t already done so.
Countermeasures
Proofpoint has posted a Python3 script that security analysts can use to determine if their computers have visited any domains infected by CopperStealer. They should perform incident reports on any machines that have visited these sites.
Experts at Proofpoint reverse-engineered CopperStealer and the domain generation algorithm (DGA) it uses, allowing them to contact the registrars that manage the domains the attackers wanted to register. In most cases, the registrars were able to take the domains down before the attackers could register them. These actions should significantly disrupt CopperStealer’s operations for the next one to three months, although the actors will probably replace their targeted domains after this point.
Malware flickr photo by Infosec Images shared under a Creative Commons (BY) license
