A New Malware Is Stealing Google, Apple, and Facebook Accounts
CopperStealer is an actively developed password and cookie stealer.
The malware in question has not been documented previously, but it seems to be distributed through fake software crack sites and is targeting the users of major service providers, including Google, Facebook, Amazon, and Apple.
Researchers from Proofpoint named the malware CopperStealer. This is an actively developed password and cookie stealer containing a downloader feature that enables its operators to deliver additional malicious payloads to infected devices.
It looks like the threat actors behind this newly discovered malware have used compromised accounts to run malicious ads and deliver additional malware in subsequent malvertising campaigns.
How was the malware discovered?
In January “TheAnalyst“, shared on its Twitter account a sample that caught the researchers’ attention, helping them to uncover an actively developed password and cookie stealer with a downloader function, that targets Facebook and Instagram business and advertiser accounts.
A dangerous malware does not need to be sophisticated.
CopperStealers is attacking by harvesting passwords saved in Google Chrome, Edge, Firefox, Yandex, and Opera web browsers, and it’s also able to retrieve the victims’ Facebook User Access Token by making use of stolen cookies.
While CopperStealer isn’t the most nefarious credential/account stealer in existence, it goes to show that even with basic capabilities, the overall impact can be large.
Fake software crack sites became distribution channels
The new malware is distributed through fake software crack sites and known malware distribution platforms such as keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net.
Heimdal® Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
It seems that two of the sites were sinkholed after discovering their connection to ongoing attempts to deliver malware and Potentially Unwanted Programs/Applications (PUP/PUA) software.
In the first 24 hours of operation, the sinkhole logged 69,992 HTTP Requests from 5,046 unique IP addresses originating from 159 countries representing 4,655 unique infections. Proofpoint said.
Credentials make the world go round when it comes to the current threat landscape and this shows the lengths that threat actors will take to steal valuable credential data.
Account stealing malware like this one are providing the scammers with the necessary tools for creating impersonation attacks and identity theft fraud.