CopperStealer malware hijacks Facebook business accounts to run malicious ads

The disruption of the campaign was part of coordinated action from Facebook, Cloudflare, and other providers

Cyber criminals have launched a new campaign that uses 'CopperStealer' malware to steal Facebook passwords stored in Chrome, Edge, Yandex, Opera, and Firefox browsers.

According to a blog post by researchers at cyber security firm Proofpoint, threat actors used this unauthorized access to Facebook and Instagram business accounts to run malicious adverts for profit and to deliver additional malware in subsequent malvertising campaigns.

The disruption of the campaign was part of coordinated action from Facebook, Cloudflare, and other providers. The earliest discovered samples date back to July of 2019.

Proofpoint analysis uncovered additional CopperStealer versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter. The malware targets large tech platforms and service providers in an attempt to steal login credentials for some of the most popular services on the internet.

Researchers believe that Copperstealer is a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot, and Scranos. Facebook attributed the creation of SilentFade to Hong Kong-based ILikeAD Media International Company Ltd, and during the 2020 Virus Bulletin conference, disclosed it was responsible for over $4 million in damages.

Researchers discovered suspicious websites advertised as “KeyGen” or “Crack” sites, including keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net, hosting samples that have delivered multiple malware families including CopperStealer.

“These sites advertise themselves to offer “cracks”, “keygen” and “serials” to circumvent licensing restrictions of legitimate software.  However, we observed these sites ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run other malicious executables capable of installing and downloading additional payloads,” said Proofpoint researchers.

Related Resource

Remote workforce security report

Key challenges, security threats, and investment priorities of organisations during the pandemic

remote workforce security report - whitepaper from OktaDownload now

The malware also contains the ability to find and send saved browser passwords and uses stored cookies to retrieve a User Access Token from Facebook. Once the User Access Token is gathered, the malware requests several API endpoints for Facebook and Instagram to gather additional context, including a list of friends, any advertisement accounts configured for the user, and a list of pages the user has been granted access to, according to researchers.

Sherrod DeGrippo, senior director of Threat Research and Detection at Proofpoint, said that credentials make the world go round when it comes to the current threat landscape, adding that this shows the lengths that threat actors will take to steal valuable credential data. 

“Credential stealer malware, credential phish landing pages, and cookie stealing all contribute to account compromises which can then be leveraged to impersonate and launch further attacks,” she said.

“Copperstealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks. These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers.”

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Senator wants social media companies held liable for spreading anti-vax lies
social media

Senator wants social media companies held liable for spreading anti-vax lies

23 Jul 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021