Researchers at ProofPoint, disrupted a newly documented account stealing malware, CopperSteale, distributed through fake software crack sites and targeting major social service providers including Google, Facebook, Amazon and Apple.
The significant countermeasures of the malware started January. Since then, it infected up to 5000 individual hosts on daily basis.
Sherrod DeGrippo, the senior director at Proofpont, said they were the first to notice this Chinese-sourced malware from the Twitter user TheAnalyst. She said, the CopperStealer exhibiting many similar targeting and delivering methods as SilentFade, a chinese-based malware reported by Facebook in 2019.
To counteract the CopperStealer, said DeGrippo, the Proofpoint researchers reverse-engineered the malware and perform the same action to the DGA or domain generation algorithm used in the malware. With that, they preempted the attackers from registering the domains used by the malware a day before the attackers could register. Then, they took them down with the help of the registrars.
DeGrippo said, “These were the domains the malware was using to give instructions to harvest back credentials. Credentials make the world go round when it comes to the current threat landscape and this shows the lengths that threat actors will take to steal valuable credential data. CopperStealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks. These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers.”
CopperStealer allows its operator to ex-filtrate sensitive data and drop additional malware, said the senior cyber threat intelligence analyst at Digital Shadows, Chris Morgan.
Morgan said, “It’s realistically possible that there are similar motivations behind the CopperStealer campaign, using the accounts to spread misinformation. The actions taken by Proofpoint and service providers will result in a significant short-term (one-to-three-month) disruption to this campaign; however, replacing infrastructure should be relatively simple for the threat actors. Delivery methods for CopperStealer rely on users interacting with torrent sites offering free versions of legitimate software, which are attractive to avoid costly licensing fees. Users should avoid interacting and downloading software from any unofficial sites, whether on a corporate or personal website.”
Chief security scientist and advisory CISO at Thycotic, Joseph Carson added that the malware can steal passwords from well known web browsers and so storing sensitive information within web browsers will become a major security risk especially when the employees become the victims of the malware.
Carson said, “This could lead to the criminals gaining access to your organization. While storing non-sensitive data in a browser is okay, it’s important that organizations move beyond password managers, such as those in browsers. They should move to privileged access security that adds more protection and additional security controls. It’s important to help move passwords into the background and that they are not the only security control protecting your business.”
