Wednesday, December 6, 2023

CopperStealer Malware Attacks Facebook and Instagram Business Accounts

The cybersecurity researchers at Proofpoint have recently issued all the details regarding a new undocumented malware, which is dubbed as “CopperStealer.”

According to the report, the threat actors are spreading this undocumented malware via fake software that continuously destroying the sites and targeting the users of major assistance providers like Google, Instagram, Facebook, Amazon, Apple. 

This undocumented malware, CopperStealer works like the previously identified malware SilentFade, which is a China-backed malware.

The cybersecurity experts concluded that along with Facebook and Instagram business accounts, it was also targeting the other major service providers that include Apple, Amazon, Google, PayPal, Tumblr, and Twitter, just after investigating a sample.

Distribution Methods

After a proper investigation, the cybersecurity analyst of Proofpoint has perceived suspicious websites that are displayed as “KeyGen” or “Crack” sites.

The websites also include “keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net,” which is continuously hosting samples that have remitted various malware issues, which also includes the CopperStealer as well.


These sites promote themselves to endeavor “cracks”, “keygen” and “serials” to bypass the licensing limitations of legitimate software.

Moreover, the security researchers have also recognized these sites eventually contribute Potentially Unwanted Programs/Applications (PUP/PUA) or manage other malicious executables competent for installing and downloading additional payloads.

Data Retrieval of Facebook and Instagram

This new malware has the ability to find and send saved browser passwords, and the following Internet browsers are examined by the researchers particularly for Facebook saved credentials:-

  • Edge
  • Yandex
  • Chrome
  • Opera
  • Firefox

Moreover, when the User Access Token is assembled, the malware demands several API endpoints for Facebook and Instagram so that it can gather more context.


These contexts include a list of friends, any commercial accounts configured for the user, and a full list of pages the user has been conferred access to. 

Major Version Updates

The analysts have affirmed that they have observed more than 80 different versions in the year and half CopperStealer has been grouped and scattered in the wild.

The release of new versions improved in frequency commencing in August 2020 and already stimulated between October 2020 and February 2021, along with various updates that are eventually being released every month.

Dangerous despite lack of sophistication

CopperStealers operates by harvesting passwords that are saved in the Google Chrome, Yandex, Edge, Firefox, and Opera web browsers, as we told.

Not only this but the malware has dropped utilizing CopperStealer’s downloader module which also involves the modular Smokeloader backdoor, and it also accommodates a wide collection of other malicious payloads that are being downloaded from different “URLs.”

Apart from this, the experts believe that CopperStealer isn’t the most treacherous credential/account stealer in survival, just like others it also has the basic capabilities, and its overall impact can be huge.

However, CopperStealer recovers a download configuration from the very common server that is the c2 server, it helps to extract an archive named “xldl.dat,” it generally resembles to be one of the legitimate download manager named Xunlei from Xunlei Networking Technologies Ltd. 

The Copperstealer goes after huge co-operation provider logins that are similar to social media and search engine accounts, as it helps the threat actors or the operators of it to advertise additional malware or other attacks.


Latest articles

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision...

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit...

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been...

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware....

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's-DNSIP address...

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles