CopperStealer Trojan
CopperStealer is an information stealing trojan with additional dropper capabilities. It is delivered through software cracking and keygen sites. Similarities in its target and delivery methods suggest it is related to the older SilentFade malvertising campaign.
Summary
CopperStealer is an information stealing trojan with additional dropper capabilities. It is delivered through software cracking and keygen sites. Similarities in its target and delivery methods suggest it is related to the older SilentFade malvertising campaign.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
First observed in July 2019, CopperStealer (also known as Mingloa) is a credential harvesting trojan with similarities to the SilentFade malware family. It appears to still be in active development, with at least 60 known versions in the wild and several updates a month. As well as collecting user information and cookies from most popular browsers, CopperStealer will also attempt to download other payloads to affected systems.
Delivery
CopperStealer is distributed through third-party sites claiming to circumvent software licensing restrictions (commonly referred to as ‘crack’ or ‘keygen’ sites).
Activities
Once executed, CopperStealer will perform several anti-analysis checks before attempting to open a specific registry key, creating it if it is not already present. It then loads a hardcoded certificate into the system’s trusted root store.
CopperStealer will attempt to extract user credentials and cookies for a variety of social media, shopping, and service providers from the following internet browsers: Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, and Yandex. This information is then used to make requests for additional information from the relevant APIs. All collected information is then encrypted and sent to a command and control (C2) server via POST request.
CopperStealer will also drop an apparently legitimate copy of the Xunlei download manager to the systems once it has extracted all information. This is then used to install secondary payloads, with configuration data passed from CopperStealer to the downloader.
Remediation advice
To prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
Last edited: 21 December 2021 10:49 am