Websites Hosting Fake Cracks Spread Updated CopperStealer Malware

First Stage: Cryptor

Analysts observed CopperStealer’s binary being encrypted and appended to a legitimate application with its entry point overwritten by a shellcode.
This shellcode reads an offset of the payload and XOR decryption key from the executable file header.
The encryption key is 0x001eb1c0, which is 2011584 in decimal. The decimal value is both the offset and the encryption key.
All the samples Analysts analyzed use the same scheme. The following screenshot shows the beginning of the encrypted data. The decryption is an XOR function with the same key as offset in decimal.

The decrypted second stage is an Ultimate Packer for Executables (UPX)-packed DLL and has one exported function called HelloWorld. It’s important to note that in older versions of CopperStealer, this was called WorkIn, while newer versions already had HelloWorld.

Second Stage: Dropper

Analysts analyzed the second stage as a dropper embedding two additional executables (compressed with 7-Zip), internally named A and B. These resources are dropped under the names “build” and “shrdp” and subsequently executed. Analysts looked into their component functions as “browser stealer” and “remote desktop”.
First component: Browser stealer

This component uses the same payload encryption technique and the same export method name as the routine discussed in the first stage. The component installs a certificate with a thumbprint 6c0ce2dd0584c47cac18839f14055f19fa270cdd in the Certificates folder of the current user.

The browser stealer then extracts a “MachineGuid” value from and uses this string value as the name of the directory where it stores all the stolen data. It then searches for and steals cookies from the following browsers:

Brave-Browser
Chrome
Chromium
Edge
Firefox
Opera
Yandex
The cookies in Chromium-based browsers are encrypted. For that purpose, the stealer reads os_crypt and encrypted_key from the file, decrypts the key, and stores its encrypted value. Analysts analyzed this encrypted value to be base64-encoded, then DES-encrypted with key “loadfa1d” and IV “unsigned”, followed by another base64-encoding. This encrypted and encoded value is then saved to a file named .

The stealer starts taking the data, creates directories labeled “browsers” and “cookies” in the directory named MachineGuid, and stores the stolen data in the said directories based on the file content. These file names are self-explanatory of the data stolen from the infected system, as follows:

passwords.txt
passwords_urls.txt
_cookie.txt
cookies_urls.txt
CC.txt
chrome_autofill.txt
_token.txt
outlook.txt
thunderbird.txt
eventlog.txt

Aside from stealing web browser data, the stealer also gathers user data from online messenger platforms Telegram, Discord, and Elements, game distribution service Steam, and email clients Outlook and Thunderbird. The stealer copies all the important files with settings and configurations and sends them back to the command-and-control (C&C) server:

Telegram: The stealer scans for “tdata” folder wherein all data such as sessions, messages, and images are stored.
Discord: It looks for “userDataCache.json” file.
Elements: It looks for “IndexeDB” directory where the messenger app stores information such as access tokens.
Steam: It searches for “config” file with the settings in a number of locations being discussed here.
Firefox stores its saved logins encrypted in a logins.json file. The stealer contains a resource utility called FFNSS332 for a 32-bit system (or FFNSS364 for a 64-bit system), which parses the logins.json and prints its results on the command-line output. Analysts also noticed embedded files DLL7Z and EXE7Z, which contain all the stolen data in one archive compressed with 7-Zip.

The stealer runs a Windows Events Command-Line Utility and lists the dates of events 6005 (when the event log service was started) and 6006 (when the event log service was stopped), and saves these output to eventlog.txt file. The entire directory of stolen files is compressed into a password-protected 7-Zip archive (wherein 7z.dll and 7z.exe are included as resources), and the archive password is md5[duplicated directory name]. The archive is then uploaded to a dedicated Telegram channel and a message about a successful upload is sent to the notification channel.

Second component: Remote desktop

Similar to the first component, the second component uses the same payload encryption and the same export method naming convention as explained in the first section.

This component starts to decrypt the C&C server address, stored in an encrypted form on Pastebin. After a base64 decoding, the decryption algorithm is DES with keys “taskhost” and IV “winlogon”. This is exactly the same settings mentioned in our previous CopperStealer analysis. After the C&C address is obtained, the component registers its machine identifier (under the value “MachineGuid,” the same identifier in the first component) and periodically starts querying for tasks to be performed.

Following this finding, Analysts looked into the account responsible for sharing this on Pastebin. The account’s name is Javalinkcrash, and it was created with only one paste with the encrypted C&C server address.

The supported tasks are “install” and “killme”. The “install” task performs the following operations:

Adds a new user account to the machine, wherein the password is the same as the username
Adds this user account to the administrators’ group and “Remote Desktop Users” group
Hides this account from the login screen by modifying the registry key
Disables the firewall
Allows remote desktop connections.
Disables Network Level Authentication
Extracts and installs RDP wrapper (named as “SHRDP” in resources), derived from the rdpwrap project and once installed, enables the Remote Desktop function on its host system
Extracts and installs OpenVPN (drivers and certificate, OEMVISTAxxx, and TAPxxx in resources + OP in resources).
Extracts and installs MiniThunderPlatform (named “THUNDERFW” in resources), another utility that Analysts also mentioned in our previous analysis of CopperStealer
Extracts and installs n2n (named as “EDGE” in resources), a tool for creating virtual networks (The execution parameters “-k”, a secret encryption key, “-a”, a private IP address, and “-l”, a supernode IP and port, must be received from the C&C server.)

The “killme” task kills the running processes, deletes files, and removes the users that were started, dropped, or added during the “install” task. All the Remote Desktop-related files are also supplied in resources and the component simply extracts and installs them.

Infection vector

Similar to the previous analysis of CopperStealer, the infection vector starts with a website offering fake cracks. These websites usually display two buttons, one offering to download and the other to set up the desired cracks. Selecting either button begins the redirection chain, requiring the user to select another “Download” button. Afterward, a download prompt appears and the user is prompted to save the file to the computer.
To prevent security solutions from immediately detecting the malicious files, the downloaded archive usually contains a text file with a password and another encrypted archive. After the password mentioned in the text file is entered, the decrypted archive shows the executable files.

Sign Up For Threat Alerts

Loading...
Threats Icon

Jul 04, 2023

Rhysida Ransomware RaaS Crawls Out of Crimeware...

The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...

Threats Icon

Jun 26, 2023

Operation Magalenha – Long-Running Campaign Pursues Portuguese...

The attackers can steal credentials and exfiltrate users' data and personal information, which can be...

Threats Icon

Apr 24, 2023

Lazarus Group Adds Linux Malware to Arsenal...

Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...

Threats Icon

Apr 23, 2023

Additional IOCs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.

Threats Icon

Apr 23, 2023

Ex-Conti and FIN7 Actors Collaborate with New...

IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...

Threats Icon

Apr 20, 2023

AuKill EDR killer malware abuses Process Explorer...

The AuKill tool abuses an outdated version of the driver used by version 16.32 of...

Threats Icon

Apr 20, 2023

Fake Chrome updates spread malware

A campaign running since the end of last year is using hacked sites to push...

Threats Icon

Apr 20, 2023

QBot using new attack vector in its...

QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...

Threats Icon

Apr 20, 2023

CrossLock Ransomware Emerges: New Golang – Based...

The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...

Threats Icon

Apr 20, 2023

Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...

A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

APT36 Expands Interest Within Indian Education Sector

Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...

Threats Icon

Apr 17, 2023

ChinaZ DDoS Bot Malware Distributed To Linux...

The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...

Threats Icon

Apr 16, 2023

Resurgence Of The Mexals Cryptojacking Campaign

The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...