The threat actors behind the CopperStealer malware have resurfaced in March and April 2023 with two new campaigns designed to deliver two new payloads dubbed CopperStealth and CopperPhish.
Trend Micro tracks financially motivated groups under the following names: water orthoros. This adversary is also credited with being behind another campaign known as Scranos, which he detailed in 2019 by Bitdefender.
Water Orthrus has been active since at least 2021 and uses pay-per-installation (PPI) networks to redirect victims who land on cracked software download sites to an information thief codenamed CopperStealer. I have a track record of dropping.
Another campaign, spotted in August 2022, used CopperStealer, a Chromium-based web browser capable of conducting fraudulent transactions and transferring cryptocurrency from a victim’s wallet to a wallet under the control of the attacker. It included distributing extensions.
The latest attack sequence documented by Trend Micro does not show any major deviations, packaging and spreading CopperStealth as a free tool installer on Chinese software-sharing websites.
“CopperStealth’s infection chain involves dropping and loading a rootkit, then injecting its payload into explorer.exe and other system processes,” security researchers Jaromir Horejsi and Joseph C Chen said in a technical report. will be done,” he said.
“These payloads are responsible for downloading and executing additional tasks. Rootkits also block access to blocklisted registry keys, preventing certain executables and drivers from running. ”
The Denied Driver List contains byte sequences related to Chinese security software companies such as Huorong, Kingsoft, and Qihoo 360.
CopperStealth also includes a task module that allows it to call remote servers to obtain commands to run on the infected machine, allowing the malware to drop more payload.
File-sharing websites act as conduits for CopperPhish phishing kits
The CopperPhish campaign, spotted worldwide in April 2023, utilizes a similar process to deploy malware via PPI networks behind free, anonymous file-sharing websites.
“When a visitor clicks on an ad disguised as a download link, they are redirected to a download page designed by the PPI network,” the researchers said. “The downloaded file is PrivateLoader, which downloads and executes various malware.”
The downloader service, also PPI-based, is used to acquire and launch CopperPhish, a phishing kit responsible for collecting credit card information.
It accomplishes this by “starting a rundll32 process and injecting a simple program containing a browser window (written in Visual Basic)”. The program loads a phishing page that prompts the victim to scan her QR code to verify her identity and enter a confirmation message. “Restore network for device” code.
“Windows don’t have controls to minimize or close,” the researchers explained. “The victim can close the browser’s process in Task Manager or Process Explorer, but the main payload process must also be terminated, otherwise the persistent thread will cause the browser’s process to spawn again .”
Once sensitive information is entered on the page, the CopperPhish malware displays the message “Identity Verification Completed” next to a verification code that the victim can enter on the aforementioned screen.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Reserve your seat!
After entering the correct verification code, the malware itself will be uninstalled and any dropped phishing files will be removed from your machine.
The researchers said, “Credential validation and verification codes are two useful features that make this phishing kit more successful, because victims simply close the window or use fake information just to get rid of it.” Because you can’t enter or enter
The attribution to Water Orthrus is based on the fact that both CopperStealth and CopperPhish share similar source code characteristics with CopperStealer, making it more likely that all three strains were developed by the same author. .
The various objectives of the campaign represent the evolution of threat actor tactics, adding new capabilities to their arsenal and attempting to expand their economic horizons.
The findings show that malicious Google ads are used to trick users into downloading fake installers for AI tools such as Midjourney and OpenAI’s ChatGPT, ultimately stealers such as Vidar and RedLine. It was announced as a drop.
It also follows the discovery of a new traffic monetization service called TrafficStealer. The service uses misconfigured containers to redirect traffic to websites and generate fake ad clicks as part of a fraudulent money making scheme.
