Resurfacing with New Rootkit and Phishing Kit Modules: The CopperStealer Malware Crew
In March and April 2023, the threat actors responsible for the CopperStealer virus reappeared with two new campaigns meant to deliver two brand-new payloads called CopperStealth and CopperPhish.
The group being monitored by Trend Micro goes by the name of Water Orthrus. The opponent is also suspected of being behind the Scranos campaign, which Bitdefender described in 2019. Water Orthrus, active at least since 2021, has a history of using pay-per-install (PPI) networks to reroute victims arriving at websites offering cracked software downloads in order to drop an information thief known as CopperStealer.
Another campaign spotted in August 2022 entailed the use of CopperStealer to distribute Chromium-based web browser extensions that are capable of performing unauthorized transactions and transferring cryptocurrency from victims’ wallets to ones under attackers’ control.
Security researchers Jaromir Horejsi and Joseph C Chen said in a technical report that says: “CopperStealth’s infection chain involves dropping and loading a rootkit, which later injects its payload into explorer.exe and another system process. These payloads are responsible for downloading and running additional tasks. The rootkit also blocks access to blocklisted registry keys and prevents certain executables and drivers from running.”
Byte sequences related to Chinese security software providers Huorong, Kingsoft, and Qihoo 360 are included in the driver denylist. A task module built into CopperStealth also lets it connect to a remote server and get the instruction to be run on the infected computer, enabling the virus to drop additional payloads.
CopperPhish phishing kit spreads via file-sharing websites
The CopperPhish campaign, which was discovered in April 2023, uses a similar technique to spread malware using PPI networks hidden behind free anonymous file-sharing services.
The CopperPhish phishing kit, which is designed to gather credit card information, is subsequently launched using the downloader service, which is also made available on a PPI basis.
This is accomplished by “starting a rundll32 process and injecting a simple program with a browser window (written in Visual Basic) in it,” which loads a phishing page requesting that victims scan a QR code to prove their identity and enter a confirmation number to “restore your device’s network.”
The researchers explained that” The window has no controls that can be used to minimize or close it and the victim could close the browser’s process in Task Manager or Process Explorer, but they would also need to terminate the main payload process, otherwise, the browser process will happen again due to the persistence thread.”
The CopperPhish malware presents the message “the identity verification has passed” along with a confirmation code that the victim can enter on the aforementioned screen after entering the sensitive information on the page.
Providing the correct confirmation code also causes the malware to uninstall itself and delete all the dropped phishing files from the machine. “The credential verification and confirmation code are two useful features that make this phishing kit more successful, as the victim cannot simply close the window or enter fake information just to get rid of the window,” the researchers said.
According to Water Orthrus, CopperStealth, CopperPhish, and CopperStealer, all have traits in their source code that are comparable to those of CopperStealer, suggesting that the same person may have created all three strains.
The campaigns’ various goals show how the threat actor’s techniques have evolved, showing an effort to increase its arsenal of tools and broaden its income opportunities.
The discoveries coincide with the usage of malicious Google advertising to persuade users to download phony installers for AI products like Midjourney and OpenAI’s ChatGPT that ultimately drop stealers like Vidar and RedLine.
They also come after the revelation of a brand-new traffic-monetizing service called TrafficStealer, which uses containers with incorrect configurations to reroute traffic to websites and produce phony ad clicks as part of a nefarious money-making plan.
If you like our content, do follow us on our LinkedIn and Facebook handles for more exclusive content like this.
Our Readers Also READNew Phishing-as-a-Service Enables CyberCrimianls to generate Convincing Fake Pages