Trend Micro analyzes updated CopperStealer samples that spread via fake cracks on websites, detailing a two-stage dropper, browser data theft, and a revamped C2 setup. The report highlights code reuse, a DES-based encryption scheme, UPX-packed components, Telegram exfiltration, and infrastructure shifts away from DGA/CDN toward Pastebin-hosted config and fast flux hosting. #CopperStealer #TrendMicro #Telegram #Pastebin #MiniThunderPlatform #VidarStealer
Keypoints
- The updated CopperStealer variant reuses key components (cryptor, DES key, DLL export name) and exfiltration over Telegram, while embedding UPX-packed DLLs.
- The first stage encrypts a payload via a shellcode that reads an offset and XOR key from the executable header, then decrypts with XOR.
- The decrypted second stage is a UPX-packed DLL with an exported function named HelloWorld, replacing older WorkIn naming in newer versions.
- The second stage dropper contains two executables, A and B (named “build” and “shrdp”), delivering a browser stealer and a remote desktop component.
- The browser stealer harvests cookies from Brave, Chrome, Chromium, Edge, Firefox, Opera, and Yandex, and decrypts Chromium cookies using DES with a known key/IV, storing data under a MachineGuid-based folder.
- Data stolen includes browser credentials and data from Telegram, Discord, Elements, Steam, Outlook, and Thunderbird; the collected data is compressed with a password-protected 7-Zip archive and uploaded to Telegram, with event logs also captured.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information – CopperStealer binary is encrypted and appended to a legitimate app; “…shellcode reads an offset of the payload and XOR decryption key from the executable file header…”
- [T1027.002] Software Packing – The decrypted second stage is a UPX-packed DLL with an exported function called HelloWorld; “…UPX-packed DLL…”
- [T1041] Exfiltration Over C2 Channel – Data exfiltration to a Telegram channel; “…Data exfiltration to a Telegram channel (for later versions of CopperStealer)…”
- [T1555.003] Credentials from Web Browsers – Browser stealer extracts cookies from Brave/Chrome/Chromium/Edge/Firefox/Opera/Yandex; “…stealer then extracts a “MachineGuid” value… and steals cookies from the following browsers: Brave-Browser, Chrome, Chromium, Edge, Firefox, Opera, Yandex.”
- [T1112] Registry Run Keys / Startup Folder (Modify Registry) – The browser stealer installs a certificate in the user’s Certificates folder and references registry-related steps (WinlogonSpecialAccountsUserList) to hide accounts; “…modifying the registry key”
- [T1021.001] Remote Desktop – The second component enables Remote Desktop by extracting/installing an RDP wrapper and enabling the feature; “…extracts and installs RDP wrapper… once installed, enables the Remote Desktop function on its host system”
- [T1560.001] Archive Collected Data: Archive via Utility – The stolen data directory is compressed into a password-protected 7-Zip archive (7z.dll/7z.exe included); “…the archive password is md5[duplicated directory name]…”
- [T1562.001] Impair Defenses: Disable or Modify Security Tools – The dropper disables the firewall; “…Disables the firewall”
Indicators of Compromise
- [File] Passwords and cookies data files – examples: passwords.txt, _cookie.txt, and 8 more files (e.g., passwords_urls.txt, cookies_urls.txt, CC.txt, chrome_autofill.txt, _token.txt, outlook.txt, thunderbird.txt, eventlog.txt)
- [File] Browser data artifacts – Brave-Browser cookies, Chrome cookies, Chromium cookies, Edge cookies, Firefox cookies, Opera cookies, Yandex cookies
- [File] Encrypted/encoded data artifacts – os_crypt, encrypted_key, and a DES-based value (base64-encoded, DES-encrypted with key “loadfa1d” and IV “unsigned”)
- [Archive] Password-protected 7-Zip archive of stolen data – contains 7z.dll and 7z.exe as resources
- [Certificate] Signed/Known certificate – thumbprint 6c0ce2dd0584c47cac18839f14055f19fa270cdd installed into Certificates folder
- [Network] C2 infrastructure characteristics – port 8443 open for C2; Pastebin-hosted C2 configuration; fast flux DNS behavior
- [Tool/Component] Embedded resources – 7z.dll, 7z.exe, SHRDP (RDP wrapper), OpenVPN drivers/certs, MiniThunderPlatform (THUNDERFW)
- [Account/Access] New user addition for persistence – a new user with password equal to username added to Administrators and Remote Desktop Users groups