Water Orthrus has launched two campaigns, CopperStealth (rootkit delivery) and CopperPhish (credit card phishing), expanding their toolkit with a new rootkit and phishing modules. The campaigns share code traits with CopperStealer and indicate a shift toward targeting financial data, including cryptocurrency and credit cards. #WaterOrthrus #CopperStealth #CopperPhish #CopperStealer #Scranos
Keypoints
- Two 2023 campaigns by Water Orthrus: CopperStealth (rootkit-based) and CopperPhish (phishing kit), likely linked to CopperStealer lineage.
- CopperStealth was distributed via installers on a popular Chinese software sharing site, masquerading as free software and targeting Chinese users.
- The CopperStealth rootkit uses a kernel/driver approach: drops a rootkit, injects payloads into processes, and enforces persistence by creating a new driver service that starts on boot.
- The rootkit blocks access to certain blocklisted registry keys and prevents specific executables/drivers from running, demonstrating defense evasion.
- CopperPhish delivers via pay-per-install networks, using PrivateLoader as a downloader; the main payload drops multi-language phishing pages to steal credit card data.
- The campaigns share cryptographic traits (a common crypter, DES with the same key/IV, and similar mutex names), suggesting a single author or tightly related actors.
- Trend Micro notes a shift in Water Orthrus’s focus from personal information to cryptocurrency and now credit card data, urging proactive security measures and EDR tooling.
MITRE Techniques
- [T1189] Drive-by Compromise – The first CopperStealth campaign used installers on a popular Chinese software sharing website, disguised as free software and targeted the country’s users. ‘The first campaign distributed CopperStealth on March 8, 2023, delivering the malware via installers provided on a popular Chinese software sharing website. It disguised the malware as free software and targeted the country’s users.’
- [T1105] Ingress Tool Transfer – The installer contains numerous encoded URLs; when the installer is run these URLs will be decoded and the files located at the said URLs will be downloaded and run on the affected system. ‘One of these files was a dropper that we identified as CopperStealth.’
- [T1543.003] Create or Modify System Process – Windows Service – The rootkit creates and starts a new driver service, which begins when the system starts. ‘The rootkit then creates and starts a new driver service, which begins when the system starts.’
- [T1112] Modify Registry – The rootkit modifies registry entries to enable persistence and block defenses. ‘changing the driver name in the HKLMSYSTEMCurrentControlSetServices registry and inserting a “PendingFileRenameOperations” registry value in HKLMSYSTEMCurrentControlSetControlSessionManager to automatically move the file upon reboot.’
- [T1562.001] Impair Defenses – The rootkit blocks access to blocklisted registry keys and prevents certain executables and drivers from running. ‘blocklisted processes … will result in a STATUS_ACCESS_DENIED, blocking the operation.’
- [T1055] Process Injection – The rootkit injects code into explorer.exe and other system processes; the injection thread is started and the patched module is injected. ‘then injects the patched module into explorer.exe.’
- [T1566] Phishing – CopperPhish uses a phishing kit to collect credit card data via convincing web pages and a checkcode verification flow. ‘The phishing webpage displayed … shows the content of the dropped page with the Microsoft logo and QR code. … a confirmation code will be asked (which was stated after Figure 15).’
- [T1071.001] Web Protocols – The main payload retrieves commands via HTTP-based C2 calls (GET requests to a task URL). ‘After successful injection into explorer.exe, it makes a GET request to the task URL to get the task command to be performed.’
Indicators of Compromise
- [File hash] 8a21eae144a23fffd35f8714964ff316caaa37fe464e8bbc143f4485119b5575, 48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9 – installer and downloader components used by CopperStealth and CopperPhish
- [URL] hxxp://www.msftconnecttest.com/connecttest.txt, hxxp://cnzz_url&m= – connectivity check and command URL patterns used by the C2/data reporting
- [Process] explorer.exe – host process injected by rootkit payloads
- [Registry Key] HKLMSoftwareMicrosoftcount_a0b1c2d3, HKUSIDSoftwareMicrosoftcount_a0b1c2d3 – registry-based persistence/tracking keys
- [File] FixfixMBR.exe – a 64/32-bit driver-related component referenced in the rootkit’s operation
- [File path] %APPDATA%RoamingMicrosoft – location where dropped phishing files are stored