First Stage: Cryptor
Analysts observed CopperStealer’s binary being encrypted and appended to a legitimate application with its entry point overwritten by a shellcode.
This shellcode reads an offset of the payload and XOR decryption key from the executable file header.
The encryption key is 0x001eb1c0, which is 2011584 in decimal. The decimal value is both the offset and the encryption key.
All the samples Analysts analyzed use the same scheme. The following screenshot shows the beginning of the encrypted data. The decryption is an XOR function with the same key as offset in decimal.
The decrypted second stage is an Ultimate Packer for Executables (UPX)-packed DLL and has one exported function called HelloWorld. It’s important to note that in older versions of CopperStealer, this was called WorkIn, while newer versions already had HelloWorld.
Second Stage: Dropper
Analysts analyzed the second stage as a dropper embedding two additional executables (compressed with 7-Zip), internally named A and B. These resources are dropped under the names “build” and “shrdp” and subsequently executed. Analysts looked into their component functions as “browser stealer” and “remote desktop”.
First component: Browser stealer
This component uses the same payload encryption technique and the same export method name as the routine discussed in the first stage. The component installs a certificate with a thumbprint 6c0ce2dd0584c47cac18839f14055f19fa270cdd in the Certificates folder of the current user.
The browser stealer then extracts a “MachineGuid” value from and uses this string value as the name of the directory where it stores all the stolen data. It then searches for and steals cookies from the following browsers:
The cookies in Chromium-based browsers are encrypted. For that purpose, the stealer reads os_crypt and encrypted_key from the file, decrypts the key, and stores its encrypted value. Analysts analyzed this encrypted value to be base64-encoded, then DES-encrypted with key “loadfa1d” and IV “unsigned”, followed by another base64-encoding. This encrypted and encoded value is then saved to a file named .
The stealer starts taking the data, creates directories labeled “browsers” and “cookies” in the directory named MachineGuid, and stores the stolen data in the said directories based on the file content. These file names are self-explanatory of the data stolen from the infected system, as follows:
Aside from stealing web browser data, the stealer also gathers user data from online messenger platforms Telegram, Discord, and Elements, game distribution service Steam, and email clients Outlook and Thunderbird. The stealer copies all the important files with settings and configurations and sends them back to the command-and-control (C&C) server:
Telegram: The stealer scans for “tdata” folder wherein all data such as sessions, messages, and images are stored.
Discord: It looks for “userDataCache.json” file.
Elements: It looks for “IndexeDB” directory where the messenger app stores information such as access tokens.
Steam: It searches for “config” file with the settings in a number of locations being discussed here.
Firefox stores its saved logins encrypted in a logins.json file. The stealer contains a resource utility called FFNSS332 for a 32-bit system (or FFNSS364 for a 64-bit system), which parses the logins.json and prints its results on the command-line output. Analysts also noticed embedded files DLL7Z and EXE7Z, which contain all the stolen data in one archive compressed with 7-Zip.
The stealer runs a Windows Events Command-Line Utility and lists the dates of events 6005 (when the event log service was started) and 6006 (when the event log service was stopped), and saves these output to eventlog.txt file. The entire directory of stolen files is compressed into a password-protected 7-Zip archive (wherein 7z.dll and 7z.exe are included as resources), and the archive password is md5[duplicated directory name]. The archive is then uploaded to a dedicated Telegram channel and a message about a successful upload is sent to the notification channel.
Second component: Remote desktop
Similar to the first component, the second component uses the same payload encryption and the same export method naming convention as explained in the first section.
This component starts to decrypt the C&C server address, stored in an encrypted form on Pastebin. After a base64 decoding, the decryption algorithm is DES with keys “taskhost” and IV “winlogon”. This is exactly the same settings mentioned in our previous CopperStealer analysis. After the C&C address is obtained, the component registers its machine identifier (under the value “MachineGuid,” the same identifier in the first component) and periodically starts querying for tasks to be performed.
Following this finding, Analysts looked into the account responsible for sharing this on Pastebin. The account’s name is Javalinkcrash, and it was created with only one paste with the encrypted C&C server address.
The supported tasks are “install” and “killme”. The “install” task performs the following operations:
Adds a new user account to the machine, wherein the password is the same as the username
Adds this user account to the administrators’ group and “Remote Desktop Users” group
Hides this account from the login screen by modifying the registry key
Disables the firewall
Allows remote desktop connections.
Disables Network Level Authentication
Extracts and installs RDP wrapper (named as “SHRDP” in resources), derived from the rdpwrap project and once installed, enables the Remote Desktop function on its host system
Extracts and installs OpenVPN (drivers and certificate, OEMVISTAxxx, and TAPxxx in resources + OP in resources).
Extracts and installs MiniThunderPlatform (named “THUNDERFW” in resources), another utility that Analysts also mentioned in our previous analysis of CopperStealer
Extracts and installs n2n (named as “EDGE” in resources), a tool for creating virtual networks (The execution parameters “-k”, a secret encryption key, “-a”, a private IP address, and “-l”, a supernode IP and port, must be received from the C&C server.)
The “killme” task kills the running processes, deletes files, and removes the users that were started, dropped, or added during the “install” task. All the Remote Desktop-related files are also supplied in resources and the component simply extracts and installs them.
Similar to the previous analysis of CopperStealer, the infection vector starts with a website offering fake cracks. These websites usually display two buttons, one offering to download and the other to set up the desired cracks. Selecting either button begins the redirection chain, requiring the user to select another “Download” button. Afterward, a download prompt appears and the user is prompted to save the file to the computer.
To prevent security solutions from immediately detecting the malicious files, the downloaded archive usually contains a text file with a password and another encrypted archive. After the password mentioned in the text file is entered, the decrypted archive shows the executable files.
Sign Up For Threat Alerts
Jun 30, 2022
YTStealer Malware: YouTube Cookies! Om Nom Nom...
The Dark Web Market for YouTube Account Access In 2006, the term "data is the...
Jun 27, 2022
Bronze starlight Ransomware Operations Use HUI Loader
The BRONZE RIVERSIDE threat group is likely responsible for stealing intellectual property from Japanese organizations....
Jun 27, 2022
The Black Basta ransomware is a new...
Although active for just two months, the group already rose to prominence claiming attribution of...
Jun 27, 2022
Gallium APT Group
Researchers from Palo Alto Networks defined the PingPull RAT as a "difficult-to-detect" backdoor that leverages...
Jun 26, 2022
US Cert Alert – Malicious Cyber Actors...
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER)...
Jun 23, 2022
Matanbuchus: Malware-as-a-Service with Demonic Intentions
A new malware-as-a-service (MaaS) called Matanbuchus Loader was discovered in underground markets by Unit42. Malware...
Jun 21, 2022
Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect...
Symbiote is a shared object (SO) library that is loaded into all running processes using...
Jun 19, 2022
HelloXD Ransomware Installing Backdoor on Targeted Systems
Systems are being targeted by a ransomware variant called HelloXD, with the infections also involving...
Jun 16, 2022
Panchan’s Mining Rig: New Golang Peer-to-Peer Botnet
Akamai security researchers discovered Panchan, a new peer-to-peer botnet and SSH worm that emerged in...
Jun 15, 2022
PureCrypter: A Fully-Functional Loader Distributing Remote Access...
PureCrypter is a fully-featured loader being widely sold The malware has been observed distributing a...
Jun 14, 2022
CERT-IL Alert: an active phishing campaign in...
Recently new information was passed to the CERT-IL team indicating that there is an active...
Jun 13, 2022
Follina suspected state aligned phishing campaign
Proofpoint blocked a suspected state aligned phishing campaign targeting European gov & local US gov...
Jun 09, 2022
Newly-Discovered Chinese-linked APT Has Been Quietly Spying...
Cado Labs regularly analyses attacks targeting services running within a honeypot infrastructure. One recent attack...
Jun 08, 2022
Active Exploitation of Confluence CVE-2022-26134
Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in...
Jun 07, 2022
Msiexec Impersonation – Exploit Leads to Data...
In this multi-day intrusion, The DFIR Report observed a threat actor gain initial access to...