A newly documented Chinese-based malware called CopperStealer that,infected up to 5,000 individual hosts per day, stealing credentials of users on major platforms including Facebook, Instagram, Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter.

CopperStealer,exhibits many of the same targeting and delivery methods as SilentFade, a Chinese-sourced malware family first reported by Facebook in 2019 same got reverse-engineered . Then did the same to the domain generation algorithm (DGA) used in the malware, so they could preempt the attackers from registering domains used by the malware at least one day before the attackers could register them. They then went to the domain registrars that manage those domains and in most cases the registrars agreed to take them down.

“These were the domains the malware was using to give instructions to harvest back credentials,”. “Credentials make the world go round when it comes to the current threat landscape and this shows the lengths that threat actors will take to steal valuable credential data. CopperStealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks. These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers.”

CopperStealer represents an extremely capable malware, offering its users a wide variety of options to exfiltrate sensitive data and drop additional malware features several different social media providers, likely represents efforts by the malware operator to takeover targeted accounts that threat actors can use for further malicious purposes.

Delivery methods for CopperStealer rely on users interacting with torrent sites offering free versions of legitimate software, which are attractive to avoid costly licensing fees. Users should avoid interacting and downloading software from any unofficial sites, whether on a corporate or personal website.”

Proofpoint posted a Python3 script on the blog that security teams can use to see if any of their machines had visited the domains infected by the malware.