Malware Alert! Facebook and Instagram Accounts Targeted by CopperStealer

 Threat researchers have recently uncovered a malicious malware called CopperStealer that has gone undetected since 2019 but has attacked major business accounts with Google, Facebook, Apple, Amazon, Instagram, other social media platforms.

What Happened?

According to ThreatPost, Proofpoint researchers published their findings online this week. They said that “Our investigation uncovered an actively developed password and cookie stealer with a downloader function, capable of delivering additional malware after performing stealer activity.”

They are calling the threat a “password and cookie stealer.” They compare CooperStealer to another malware called SilentFade linked to China hacker group iLikeAD Media International Company Ltd. However, it also shares traits with other malware such as FacebookRobot, StressPaint, and Scranos.

The investigators also drew the conclusion that an increase of Chinese-based malware is showing up in the market targeting social media accounts and services. The researchers said, “Findings from this investigation point towards CopperStealer being another piece of this ever-changing ecosystem.”

There appear to be various strains of this malware. Threat researchers examined one version that targeted Facebook and Instagram business accounts. However, other strains target different platforms.

The Nitty Gritty Details

According to ThreatPost “Proofpoint researchers discovered CopperStealer after they observed suspicious websites advertised as “KeyGen” or “Crack” sites–including keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net–hosting samples delivering multiple malware families that included CopperStealer.

The sites purported to offer “cracks,” “keygen,” and “serials” to circumvent licensing restrictions of legitimate software, researchers noted. What they provided instead were Potentially Unwanted Programs/Applications (PUP/PUA) or malicious executables capable of installing and downloading additional payloads, they said.”

In a joint effort, Proofpoint partnered with Facebook, Cloudflare, and other services to deconstruct the malware and stop infections. As part of the operation, Cloudflare placed a warning on malicious domains and created a sinkhole so they could not be registered by the hackers. While in place, the cybercriminals could not collect data from victims.

Proofpoint also mentioned that CopperStealer was pretty basic in nature; however, Cloudflare caught more than 69,992 HTTP requests from 5,046 IP addresses in 159 countries during the trap. That’s a huge victim pool. The bottom line is that the threat represents 4,655 infections. The countries hit the hardest were India, the Philippines, Brazil, Indonesia, and Pakistan.

ThreatPost explains the nature of the infections “In its attacks, CopperStealer retrieves a download configuration from the c2 server that extracts an archive named “xldl.dat,” which appears to be a legitimate download manager called Xunlei from Xunlei Networking Technologies Ltd. that was previously linked to malware in 2013. CopperStealer then uses an API exposed from the Xunlei application in order to download the configuration for the follow-up binary, researchers wrote.”

The most common payload witnessed from this particular malware is SmokeLoader which is a modular backdoor. Proofpoint is continuing their investigation to learn more, hoping to lead law enforcement to those responsible.

How to Stay Safe from Malware

• Protect all your social media accounts by securing them and configuring privacy settings to the maximum level. 
• Never click on ads in social media or links sent to you via text within the app.
• Always use long, very strong passwords on social media accounts.
• Do not access social media accounts from public Wi-Fi without a VPN.
• Never reuse passwords on multiple accounts. If hackers get one, they can access all your accounts that share that password.
• Keep good antivirus/anti-malware software on all your devices.
• Update your computer and mobile devices with the latest security patches.
• Never click on links in email or text when they come in from unsolicited sources.
• Always verify everything before taking an action.