Threat Research

Websites Hosting Fake Cracks Spread Updated CopperStealer Malware

Securonix

Trend Micro analyzes updated CopperStealer samples that spread via fake cracks on websites, detailing a two-stage dropper, browser data theft, and a revamped C2 setup. The report highlights code reuse, a DES-based encryption scheme, UPX-packed components, Telegram exfiltration, and infrastructure shifts away from DGA/CDN toward Pastebin-hosted config and fast flux hosting. #CopperStealer #TrendMicro #Telegram #Pastebin #MiniThunderPlatform #VidarStealer

Keypoints

  • The updated CopperStealer variant reuses key components (cryptor, DES key, DLL export name) and exfiltration over Telegram, while embedding UPX-packed DLLs.
  • The first stage encrypts a payload via a shellcode that reads an offset and XOR key from the executable header, then decrypts with XOR.
  • The decrypted second stage is a UPX-packed DLL with an exported function named HelloWorld, replacing older WorkIn naming in newer versions.
  • The second stage dropper contains two executables, A and B (named “build” and “shrdp”), delivering a browser stealer and a remote desktop component.
  • The browser stealer harvests cookies from Brave, Chrome, Chromium, Edge, Firefox, Opera, and Yandex, and decrypts Chromium cookies using DES with a known key/IV, storing data under a MachineGuid-based folder.
  • Data stolen includes browser credentials and data from Telegram, Discord, Elements, Steam, Outlook, and Thunderbird; the collected data is compressed with a password-protected 7-Zip archive and uploaded to Telegram, with event logs also captured.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – CopperStealer binary is encrypted and appended to a legitimate app; “…shellcode reads an offset of the payload and XOR decryption key from the executable file header…”
  • [T1027.002] Software Packing – The decrypted second stage is a UPX-packed DLL with an exported function called HelloWorld; “…UPX-packed DLL…”
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration to a Telegram channel; “…Data exfiltration to a Telegram channel (for later versions of CopperStealer)…”
  • [T1555.003] Credentials from Web Browsers – Browser stealer extracts cookies from Brave/Chrome/Chromium/Edge/Firefox/Opera/Yandex; “…stealer then extracts a “MachineGuid” value… and steals cookies from the following browsers: Brave-Browser, Chrome, Chromium, Edge, Firefox, Opera, Yandex.”
  • [T1112] Registry Run Keys / Startup Folder (Modify Registry) – The browser stealer installs a certificate in the user’s Certificates folder and references registry-related steps (WinlogonSpecialAccountsUserList) to hide accounts; “…modifying the registry key”
  • [T1021.001] Remote Desktop – The second component enables Remote Desktop by extracting/installing an RDP wrapper and enabling the feature; “…extracts and installs RDP wrapper… once installed, enables the Remote Desktop function on its host system”
  • [T1560.001] Archive Collected Data: Archive via Utility – The stolen data directory is compressed into a password-protected 7-Zip archive (7z.dll/7z.exe included); “…the archive password is md5[duplicated directory name]…”
  • [T1562.001] Impair Defenses: Disable or Modify Security Tools – The dropper disables the firewall; “…Disables the firewall”

Indicators of Compromise

  • [File] Passwords and cookies data files – examples: passwords.txt, _cookie.txt, and 8 more files (e.g., passwords_urls.txt, cookies_urls.txt, CC.txt, chrome_autofill.txt, _token.txt, outlook.txt, thunderbird.txt, eventlog.txt)
  • [File] Browser data artifacts – Brave-Browser cookies, Chrome cookies, Chromium cookies, Edge cookies, Firefox cookies, Opera cookies, Yandex cookies
  • [File] Encrypted/encoded data artifacts – os_crypt, encrypted_key, and a DES-based value (base64-encoded, DES-encrypted with key “loadfa1d” and IV “unsigned”)
  • [Archive] Password-protected 7-Zip archive of stolen data – contains 7z.dll and 7z.exe as resources
  • [Certificate] Signed/Known certificate – thumbprint 6c0ce2dd0584c47cac18839f14055f19fa270cdd installed into Certificates folder
  • [Network] C2 infrastructure characteristics – port 8443 open for C2; Pastebin-hosted C2 configuration; fast flux DNS behavior
  • [Tool/Component] Embedded resources – 7z.dll, 7z.exe, SHRDP (RDP wrapper), OpenVPN drivers/certs, MiniThunderPlatform (THUNDERFW)
  • [Account/Access] New user addition for persistence – a new user with password equal to username added to Administrators and Remote Desktop Users groups

Read more: https://www.trendmicro.com/de_de/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint