Thursday, July 25, 2024

CopperStealer Malware Attacks Facebook and Instagram Business Accounts

The cybersecurity researchers at Proofpoint have recently issued all the details regarding a new undocumented malware, which is dubbed as “CopperStealer.”

According to the report, the threat actors are spreading this undocumented malware via fake software that continuously destroying the sites and targeting the users of major assistance providers like Google, Instagram, Facebook, Amazon, Apple. 

This undocumented malware, CopperStealer works like the previously identified malware SilentFade, which is a China-backed malware.

The cybersecurity experts concluded that along with Facebook and Instagram business accounts, it was also targeting the other major service providers that include Apple, Amazon, Google, PayPal, Tumblr, and Twitter, just after investigating a sample.

Distribution Methods

After a proper investigation, the cybersecurity analyst of Proofpoint has perceived suspicious websites that are displayed as “KeyGen” or “Crack” sites.

The websites also include “keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net,” which is continuously hosting samples that have remitted various malware issues, which also includes the CopperStealer as well.


These sites promote themselves to endeavor “cracks”, “keygen” and “serials” to bypass the licensing limitations of legitimate software.

Moreover, the security researchers have also recognized these sites eventually contribute Potentially Unwanted Programs/Applications (PUP/PUA) or manage other malicious executables competent for installing and downloading additional payloads.

Data Retrieval of Facebook and Instagram

This new malware has the ability to find and send saved browser passwords, and the following Internet browsers are examined by the researchers particularly for Facebook saved credentials:-

  • Edge
  • Yandex
  • Chrome
  • Opera
  • Firefox

Moreover, when the User Access Token is assembled, the malware demands several API endpoints for Facebook and Instagram so that it can gather more context.


These contexts include a list of friends, any commercial accounts configured for the user, and a full list of pages the user has been conferred access to. 

Major Version Updates

The analysts have affirmed that they have observed more than 80 different versions in the year and half CopperStealer has been grouped and scattered in the wild.

The release of new versions improved in frequency commencing in August 2020 and already stimulated between October 2020 and February 2021, along with various updates that are eventually being released every month.

Dangerous despite lack of sophistication

CopperStealers operates by harvesting passwords that are saved in the Google Chrome, Yandex, Edge, Firefox, and Opera web browsers, as we told.

Not only this but the malware has dropped utilizing CopperStealer’s downloader module which also involves the modular Smokeloader backdoor, and it also accommodates a wide collection of other malicious payloads that are being downloaded from different “URLs.”

Apart from this, the experts believe that CopperStealer isn’t the most treacherous credential/account stealer in survival, just like others it also has the basic capabilities, and its overall impact can be huge.

However, CopperStealer recovers a download configuration from the very common server that is the c2 server, it helps to extract an archive named “xldl.dat,” it generally resembles to be one of the legitimate download manager named Xunlei from Xunlei Networking Technologies Ltd. 

The Copperstealer goes after huge co-operation provider logins that are similar to social media and search engine accounts, as it helps the threat actors or the operators of it to advertise additional malware or other attacks.


Latest articles

ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

A rudimentary ransomware targets Turkish businesses through phishing emails with ".ru" domain sender addresses....

BreachForumsV1 Database Leaked: Private messages, Emails & IP Exposed

BreachForumsV1, a notorious online platform for facilitating illegal activities, has reportedly suffered a massive...

250 Million Hamster Kombat Players Targeted Via Android And Windows Malware

Despite having simple gameplay, the new Telegram clicker game Hamster Kombat has become very...

Beware Of Malicious Python Packages That Steal Users Sensitive Data

Malicious Python packages uploaded by "dsfsdfds" to PyPI infiltrated user systems by exfiltrating sensitive...

Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers' abuses as they have been built into...

BlueStacks Emulator For Windows Flaw Exposes Millions Of Gamers To Attack

A significant vulnerability was discovered in BlueStacks, the world's fastest Android emulator and cloud...

Google Chrome 127 Released with a fix for 24 Security Vulnerabilities

Google has unveiled the latest version of its Chrome browser, Chrome 127, which is...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles