Tuesday, November 5, 2024
HomeMalwareCopperStealer Malware Attacks Facebook and Instagram Business Accounts

CopperStealer Malware Attacks Facebook and Instagram Business Accounts

Published on

Malware protection

The cybersecurity researchers at Proofpoint have recently issued all the details regarding a new undocumented malware, which is dubbed as “CopperStealer.”

According to the report, the threat actors are spreading this undocumented malware via fake software that continuously destroying the sites and targeting the users of major assistance providers like Google, Instagram, Facebook, Amazon, Apple. 

This undocumented malware, CopperStealer works like the previously identified malware SilentFade, which is a China-backed malware.

- Advertisement - SIEM as a Service

The cybersecurity experts concluded that along with Facebook and Instagram business accounts, it was also targeting the other major service providers that include Apple, Amazon, Google, PayPal, Tumblr, and Twitter, just after investigating a sample.

Distribution Methods

After a proper investigation, the cybersecurity analyst of Proofpoint has perceived suspicious websites that are displayed as “KeyGen” or “Crack” sites.

The websites also include “keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net,” which is continuously hosting samples that have remitted various malware issues, which also includes the CopperStealer as well.

CopperStealer

These sites promote themselves to endeavor “cracks”, “keygen” and “serials” to bypass the licensing limitations of legitimate software.

Moreover, the security researchers have also recognized these sites eventually contribute Potentially Unwanted Programs/Applications (PUP/PUA) or manage other malicious executables competent for installing and downloading additional payloads.

Data Retrieval of Facebook and Instagram

This new malware has the ability to find and send saved browser passwords, and the following Internet browsers are examined by the researchers particularly for Facebook saved credentials:-

  • Edge
  • Yandex
  • Chrome
  • Opera
  • Firefox

Moreover, when the User Access Token is assembled, the malware demands several API endpoints for Facebook and Instagram so that it can gather more context.

CopperStealer

These contexts include a list of friends, any commercial accounts configured for the user, and a full list of pages the user has been conferred access to. 

Major Version Updates

The analysts have affirmed that they have observed more than 80 different versions in the year and half CopperStealer has been grouped and scattered in the wild.

The release of new versions improved in frequency commencing in August 2020 and already stimulated between October 2020 and February 2021, along with various updates that are eventually being released every month.

Dangerous despite lack of sophistication

CopperStealers operates by harvesting passwords that are saved in the Google Chrome, Yandex, Edge, Firefox, and Opera web browsers, as we told.

Not only this but the malware has dropped utilizing CopperStealer’s downloader module which also involves the modular Smokeloader backdoor, and it also accommodates a wide collection of other malicious payloads that are being downloaded from different “URLs.”

Apart from this, the experts believe that CopperStealer isn’t the most treacherous credential/account stealer in survival, just like others it also has the basic capabilities, and its overall impact can be huge.

However, CopperStealer recovers a download configuration from the very common server that is the c2 server, it helps to extract an archive named “xldl.dat,” it generally resembles to be one of the legitimate download manager named Xunlei from Xunlei Networking Technologies Ltd. 

The Copperstealer goes after huge co-operation provider logins that are similar to social media and search engine accounts, as it helps the threat actors or the operators of it to advertise additional malware or other attacks.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Google Patched 40 Security Vulnerabilities Along With Two Zero-Days

Google has released a batch of security updates addressing 40 vulnerabilities, two of which...

Threat Actor IntelBroker Claims Leak of Nokia’s Source Code

The threat actor known as IntelBroker, in collaboration with EnergyWeaponUser, has claimed responsibility for...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy...

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Researchers discovered a Russian-linked threat actor, UNC5812, utilizing a Telegram persona named "Civil Defense....

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...