More Business Social Accounts Hijacked by CopperStealer
The new malware is targeting business and advertiser accounts to run deceptive ads.
After it was reported that a new malware was stealing Facebook accounts, a report published by Proofpoint researchers revealed that more tech giants including Apple, Amazon, Google were used for cybercriminal activities since July 2019.
Our investigation uncovered an actively developed password and cookie stealer with a downloader function, capable of delivering additional malware after performing stealer activity. The earliest discovered samples date back to July of 2019. While we analyzed a sample that targets Facebook and Instagram business and advertiser accounts, we also identified additional versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter.
The malware, dubbed CopperStealer, acts comparably to the Chinese-sourced malware family SilentFade, which Facebook attributed to Hong Kong-based ILikeAD Media International Company Ltd, but also other malware such as StressPaint, FacebookRobot, and Scranos.
After investigating a sample, the researchers concluded that not only Facebook and Instagram business accounts were targeted, but also other major service providers including Apple, Amazon, Google, PayPal, Tumblr, and Twitter. They discovered CopperStealer after observing suspicious websites advertised as “KeyGen” or “Crack” sites such as keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net hosting samples delivering multiple malware families including CopperStealer.
CopperStealer harvests passwords that are saved in the Google Chrome, Yandex, Edge, Firefox, and Opera web browsers and uses stored cookies to retrieve a User Access Token from Facebook. As soon as the User Access Token is gathered, the malware requests several API endpoints for Facebook and Instagram to gather additional information, including a friends/followers list, any ad accounts configured for the user and a number of pages the user has access to.
In the last year and a half, over 80 different versions of CopperStealer have been observed:
Although CopperStealer is not a very sophisticated malware, it can have a powerful effect. Proofpoint researchers found that in the first 24 hours of operation, the sinkhole logged 69,992 HTTP Requests from 5,046 unique IP addresses originating from 159 countries and representing 4,655 unique infections. The top five countries impacted by the malware based on unique infections were India, Indonesia, Brazil, Pakistan, and The Philippines.
Findings from this investigation point towards CopperStealer being another piece of this everchanging ecosystem. CopperStealer’s active development and use of DGA based C2 servers demonstrates operational maturity as well as redundancy.
Proofpoint cybersecurity analysts will continue to work towards disrupting CopperStealer’s current activities as well as monitor the threat landscape to help identify and detect the malware’s future evolutions.