Websites Hosting Fake Cracks Spread Updated CopperStealer Malware

First Stage: Cryptor

Analysts observed CopperStealer’s binary being encrypted and appended to a legitimate application with its entry point overwritten by a shellcode.
This shellcode reads an offset of the payload and XOR decryption key from the executable file header.
The encryption key is 0x001eb1c0, which is 2011584 in decimal. The decimal value is both the offset and the encryption key.
All the samples Analysts analyzed use the same scheme. The following screenshot shows the beginning of the encrypted data. The decryption is an XOR function with the same key as offset in decimal.

The decrypted second stage is an Ultimate Packer for Executables (UPX)-packed DLL and has one exported function called HelloWorld. It’s important to note that in older versions of CopperStealer, this was called WorkIn, while newer versions already had HelloWorld.

Second Stage: Dropper

Analysts analyzed the second stage as a dropper embedding two additional executables (compressed with 7-Zip), internally named A and B. These resources are dropped under the names “build” and “shrdp” and subsequently executed. Analysts looked into their component functions as “browser stealer” and “remote desktop”.
First component: Browser stealer

This component uses the same payload encryption technique and the same export method name as the routine discussed in the first stage. The component installs a certificate with a thumbprint 6c0ce2dd0584c47cac18839f14055f19fa270cdd in the Certificates folder of the current user.

The browser stealer then extracts a “MachineGuid” value from and uses this string value as the name of the directory where it stores all the stolen data. It then searches for and steals cookies from the following browsers:

The cookies in Chromium-based browsers are encrypted. For that purpose, the stealer reads os_crypt and encrypted_key from the file, decrypts the key, and stores its encrypted value. Analysts analyzed this encrypted value to be base64-encoded, then DES-encrypted with key “loadfa1d” and IV “unsigned”, followed by another base64-encoding. This encrypted and encoded value is then saved to a file named .

The stealer starts taking the data, creates directories labeled “browsers” and “cookies” in the directory named MachineGuid, and stores the stolen data in the said directories based on the file content. These file names are self-explanatory of the data stolen from the infected system, as follows:


Aside from stealing web browser data, the stealer also gathers user data from online messenger platforms Telegram, Discord, and Elements, game distribution service Steam, and email clients Outlook and Thunderbird. The stealer copies all the important files with settings and configurations and sends them back to the command-and-control (C&C) server:

Telegram: The stealer scans for “tdata” folder wherein all data such as sessions, messages, and images are stored.
Discord: It looks for “userDataCache.json” file.
Elements: It looks for “IndexeDB” directory where the messenger app stores information such as access tokens.
Steam: It searches for “config” file with the settings in a number of locations being discussed here.
Firefox stores its saved logins encrypted in a logins.json file. The stealer contains a resource utility called FFNSS332 for a 32-bit system (or FFNSS364 for a 64-bit system), which parses the logins.json and prints its results on the command-line output. Analysts also noticed embedded files DLL7Z and EXE7Z, which contain all the stolen data in one archive compressed with 7-Zip.

The stealer runs a Windows Events Command-Line Utility and lists the dates of events 6005 (when the event log service was started) and 6006 (when the event log service was stopped), and saves these output to eventlog.txt file. The entire directory of stolen files is compressed into a password-protected 7-Zip archive (wherein 7z.dll and 7z.exe are included as resources), and the archive password is md5[duplicated directory name]. The archive is then uploaded to a dedicated Telegram channel and a message about a successful upload is sent to the notification channel.

Second component: Remote desktop

Similar to the first component, the second component uses the same payload encryption and the same export method naming convention as explained in the first section.

This component starts to decrypt the C&C server address, stored in an encrypted form on Pastebin. After a base64 decoding, the decryption algorithm is DES with keys “taskhost” and IV “winlogon”. This is exactly the same settings mentioned in our previous CopperStealer analysis. After the C&C address is obtained, the component registers its machine identifier (under the value “MachineGuid,” the same identifier in the first component) and periodically starts querying for tasks to be performed.

Following this finding, Analysts looked into the account responsible for sharing this on Pastebin. The account’s name is Javalinkcrash, and it was created with only one paste with the encrypted C&C server address.

The supported tasks are “install” and “killme”. The “install” task performs the following operations:

Adds a new user account to the machine, wherein the password is the same as the username
Adds this user account to the administrators’ group and “Remote Desktop Users” group
Hides this account from the login screen by modifying the registry key
Disables the firewall
Allows remote desktop connections.
Disables Network Level Authentication
Extracts and installs RDP wrapper (named as “SHRDP” in resources), derived from the rdpwrap project and once installed, enables the Remote Desktop function on its host system
Extracts and installs OpenVPN (drivers and certificate, OEMVISTAxxx, and TAPxxx in resources + OP in resources).
Extracts and installs MiniThunderPlatform (named “THUNDERFW” in resources), another utility that Analysts also mentioned in our previous analysis of CopperStealer
Extracts and installs n2n (named as “EDGE” in resources), a tool for creating virtual networks (The execution parameters “-k”, a secret encryption key, “-a”, a private IP address, and “-l”, a supernode IP and port, must be received from the C&C server.)

The “killme” task kills the running processes, deletes files, and removes the users that were started, dropped, or added during the “install” task. All the Remote Desktop-related files are also supplied in resources and the component simply extracts and installs them.

Infection vector

Similar to the previous analysis of CopperStealer, the infection vector starts with a website offering fake cracks. These websites usually display two buttons, one offering to download and the other to set up the desired cracks. Selecting either button begins the redirection chain, requiring the user to select another “Download” button. Afterward, a download prompt appears and the user is prompted to save the file to the computer.
To prevent security solutions from immediately detecting the malicious files, the downloaded archive usually contains a text file with a password and another encrypted archive. After the password mentioned in the text file is entered, the decrypted archive shows the executable files.

Sign Up For Threat Alerts

Threats Icon

Dec 01, 2022

UNC4191 Threat Group Targets Entities In The...

The UNC4191 threat group was discovered targeting entities in the Philippines with custom malware and...

Threats Icon

Nov 30, 2022

Emotet Leads To Quantum Ransomware Infection

Threat actors were observed using Emotet to gain access to the victim's network and deploy...

Threats Icon

Nov 29, 2022

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that...

Threats Icon

Nov 29, 2022

Ransomware Roundup: Cryptonite Ransomware

FortiGuard Labs has reported on Cryptonite ransomware, which was found to target Microsoft Windows machines...

Threats Icon

Nov 28, 2022

Operation Typhoon: The Cyber Sea Lotus Coveting...

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions...

Threats Icon

Nov 27, 2022

IL-Cert Alert – Active phishing campaign in...

There is a new phishing campaign in Israel. The malware relies upon user execution. The...

Threats Icon

Nov 27, 2022

Emotets Vacation Is Over: No Rest For...

Emotet started as a banking Trojan in spreading via spam campaigns by imitating financial statements,...

Threats Icon

Nov 24, 2022

Aurora: A Rising Stealer Flying Under The...

Aurora is a multipurpose botnet with data collection, information stealer, downloading, and remote access Trojan...

Threats Icon

Nov 23, 2022

Analysis Of The ViperSoftX And VenomSoftX Information...

Torrents and software-sharing sites are being used to target victims across the globe with variants...

Threats Icon

Nov 22, 2022


Wipers have existed for years, and while they haven't been utilized as much as ransomware,...

Threats Icon

Nov 21, 2022

LockBit 3.0 Ransomware Unlocked

Also known as LockBit Black, this ransomware family announced itself stating that it would now...

Threats Icon

Nov 21, 2022

Control Panel Executable Abused For QakBot Infection

QakBot campaign modifies deployment tactics and aims to exploit a DLL hijacking technique that abuses...

Threats Icon

Nov 20, 2022

Earth Preta Spear-Phishing Governments Worldwide

Trend Micro teams have been monitoring a wave of spear-phishing attacks targeting the government, academic,...

Threats Icon

Nov 20, 2022

CISA Alert (AA22-321A) – Hive Ransomware Analysis

Threat actors are using Hive ransomware variants to target the government, communication, critical manufacturing, information...

Threats Icon

Nov 16, 2022

DTrack activity targeting Europe and Latin America

DTrack is a backdoor used by the Lazarus group. It is used by the Lazarus...