Websites Hosting Fake Cracks Spread Updated CopperStealer Malware

First Stage: Cryptor Analysts observed CopperStealer’s binary being encrypted and appended to a legitimate application with its entry point overwritten by a shellcode. This shellcode reads an offset of the payload and XOR decryption key from the executable file header. The encryption key is 0x001eb1c0, which is 2011584 in decimal. The decimal value is both the offset and the encryption key. All the samples Analysts analyzed use the same scheme. The following screenshot shows the beginning of the encrypted data. The decryption is an XOR function with the same key as offset in decimal. The decrypted second stage is an Ultimate Packer for Executables (UPX)-packed DLL and has one exported function called HelloWorld. It’s important to note that in older versions of CopperStealer, this was called WorkIn, while newer versions already had HelloWorld. Second Stage: Dropper Analysts analyzed the second stage as a dropper embedding two additional executables (compressed with 7-Zip), internally named A and B. These resources are dropped under the names “build” and “shrdp” and subsequently executed. Analysts looked into their component functions as “browser stealer” and “remote desktop”. First component: Browser stealer This component uses the same payload encryption technique and the same export method name as the routine discussed in the first stage. The component installs a certificate with a thumbprint 6c0ce2dd0584c47cac18839f14055f19fa270cdd in the Certificates folder of the current user. The browser stealer then extracts a “MachineGuid” value from and uses this string value as the name of the directory where it stores all the stolen data. It then searches for and steals cookies from the following browsers: Brave-Browser Chrome Chromium Edge Firefox Opera Yandex The cookies in Chromium-based browsers are encrypted. For that purpose, the stealer reads os_crypt and encrypted_key from the file, decrypts the key, and stores its encrypted value. Analysts analyzed this encrypted value to be base64-encoded, then DES-encrypted with key “loadfa1d” and IV “unsigned”, followed by another base64-encoding. This encrypted and encoded value is then saved to a file named . The stealer starts taking the data, creates directories labeled “browsers” and “cookies” in the directory named MachineGuid, and stores the stolen data in the said directories based on the file content. These file names are self-explanatory of the data stolen from the infected system, as follows: passwords.txt passwords_urls.txt _cookie.txt cookies_urls.txt CC.txt chrome_autofill.txt _token.txt outlook.txt thunderbird.txt eventlog.txt Aside from stealing web browser data, the stealer also gathers user data from online messenger platforms Telegram, Discord, and Elements, game distribution service Steam, and email clients Outlook and Thunderbird. The stealer copies all the important files with settings and configurations and sends them back to the command-and-control (C&C) server: Telegram: The stealer scans for “tdata” folder wherein all data such as sessions, messages, and images are stored. Discord: It looks for “userDataCache.json” file. Elements: It looks for “IndexeDB” directory where the messenger app stores information such as access tokens. Steam: It searches for “config” file with the settings in a number of locations being discussed here. Firefox stores its saved logins encrypted in a logins.json file. The stealer contains a resource utility called FFNSS332 for a 32-bit system (or FFNSS364 for a 64-bit system), which parses the logins.json and prints its results on the command-line output. Analysts also noticed embedded files DLL7Z and EXE7Z, which contain all the stolen data in one archive compressed with 7-Zip. The stealer runs a Windows Events Command-Line Utility and lists the dates of events 6005 (when the event log service was started) and 6006 (when the event log service was stopped), and saves these output to eventlog.txt file. The entire directory of stolen files is compressed into a password-protected 7-Zip archive (wherein 7z.dll and 7z.exe are included as resources), and the archive password is md5[duplicated directory name]. The archive is then uploaded to a dedicated Telegram channel and a message about a successful upload is sent to the notification channel. Second component: Remote desktop Similar to the first component, the second component uses the same payload encryption and the same export method naming convention as explained in the first section. This component starts to decrypt the C&C server address, stored in an encrypted form on Pastebin. After a base64 decoding, the decryption algorithm is DES with keys “taskhost” and IV “winlogon”. This is exactly the same settings mentioned in our previous CopperStealer analysis. After the C&C address is obtained, the component registers its machine identifier (under the value “MachineGuid,” the same identifier in the first component) and periodically starts querying for tasks to be performed. Following this finding, Analysts looked into the account responsible for sharing this on Pastebin. The account’s name is Javalinkcrash, and it was created with only one paste with the encrypted C&C server address. The supported tasks are “install” and “killme”. The “install” task performs the following operations: Adds a new user account to the machine, wherein the password is the same as the username Adds this user account to the administrators’ group and “Remote Desktop Users” group Hides this account from the login screen by modifying the registry key Disables the firewall Allows remote desktop connections. Disables Network Level Authentication Extracts and installs RDP wrapper (named as “SHRDP” in resources), derived from the rdpwrap project and once installed, enables the Remote Desktop function on its host system Extracts and installs OpenVPN (drivers and certificate, OEMVISTAxxx, and TAPxxx in resources + OP in resources). Extracts and installs MiniThunderPlatform (named “THUNDERFW” in resources), another utility that Analysts also mentioned in our previous analysis of CopperStealer Extracts and installs n2n (named as “EDGE” in resources), a tool for creating virtual networks (The execution parameters “-k”, a secret encryption key, “-a”, a private IP address, and “-l”, a supernode IP and port, must be received from the C&C server.) The “killme” task kills the running processes, deletes files, and removes the users that were started, dropped, or added during the “install” task. All the Remote Desktop-related files are also supplied in resources and the component simply extracts and installs them. Infection vector Similar to the previous analysis of CopperStealer, the infection vector starts with a website offering fake cracks. These websites usually display two buttons, one offering to download and the other to set up the desired cracks. Selecting either button begins the redirection chain, requiring the user to select another “Download” button. Afterward, a download prompt appears and the user is prompted to save the file to the computer. To prevent security solutions from immediately detecting the malicious files, the downloaded archive usually contains a text file with a password and another encrypted archive. After the password mentioned in the text file is entered, the decrypted archive shows the executable files.