The threat actor behind the CopperStealer malware is making a comeback with two new campaigns in March and April 2023 designed to deliver two new payloads dubbed CopperStealth and CopperPhish.
Active since at least 2021, Water Orthrus has a track record of leveraging pay-per-install (PPI) networks to divert victims who land on cracked software download sites to take down an information thief with a code name Copper thief.
Another campaign seen in August 2022 requires the use of CopperStealer for distribution Chromium based web browser extension capable of carrying out unauthorized transactions and transferring cryptocurrency from the victim’s wallet to a wallet that is under the control of the attacker.
The latest attack sequence documented by Trend Micro doesn’t show much deviation, deploying CopperStealth by packaging it as an installer for a free tool in Chinese software sharing website.
“The CopperStealth infection chain involves dropping and loading a rootkit, which then injects its payload into explorer.exe and other system processes,” security researchers Jaromir Horejsi and Joseph C Chen said in technical reports.
“This payload is responsible for downloading and executing additional tasks. Rootkits also block access to blocked list registry keys and prevent certain executables and drivers from running.”
The driver rejection list contains sequences of bytes relating to Chinese security software companies such as Huorong, Kingsoft, and Qihoo 360.
CopperStealth also incorporates a task module that allows it to call into remote servers and fetch commands to run on the infected machine, equipping the malware to drop more payload.
File Sharing Website Acts as Conduit for CopperPhish Phishing Kits
The CopperPhish campaign, detected worldwide in April 2023, leverages a similar process to spread malware through the PPI network behind free anonymous file sharing websites.
“Visitors are redirected to download pages designed by the PPI network after clicking on their advertisements, which pretend to be download links,” the researchers said. “The downloaded file is a PrivateLoader, which downloads and runs a lot of different malware.”
The download service, which is also offered on a PPI basis, is then used to retrieve and launch CopperPhish, a phishing kit responsible for collecting credit card information.
This is achieved by “starting a process rundll32 and injects a simple program with a browser window (written in Visual Basic) inside,” which loads a phishing page that urges victims to scan a QR code to verify their identity and enter a confirmation code to “restore your device network.”
“The window has no controls that can be used to minimize or close it,” explained the researchers. “Victims can close the browser process in Task Manager or Process Explorer, but they must also terminate the main payload process, otherwise the browser process will occur again due to thread persistence.”
Once sensitive details are entered on the page, the CopperPhish malware displays the message “identity verification has passed” alongside a confirmation code that the victim can enter in the aforementioned screen.
Providing the correct confirmation code also causes the malware to delete itself and remove any phishing files that were dropped from the machine.
“Credential verification and confirmation codes are two useful features that make this phishing kit even more successful, because victims can’t simply close the window or enter fake information just to get rid of the window,” the researchers said.
The attribution to Water Orthrus is based on the fact that both CopperStealth and CopperPhish share similar source code characteristics to CopperStealer, raising the possibility that all three strains may have been developed by the same author.
The different campaign objectives represent the evolution of the threat actor’s tactics, demonstrating efforts to add new capabilities to his arsenal and broaden his financial horizons.
The findings appear as Google ads are dangerous used to persuade users to download fake installers for AI tools like Midjourney and ChatGPT OpenAI which ultimately takes down thieves like Vidar and RedLine.
They also followed the discovery of a new traffic monetization service called Traffic Stealer which leverages misconfigured containers to redirect traffic to websites and generate fake ad clicks as part of an unauthorized money-making scheme.