IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

CopperStealer malware hijacks Facebook business accounts to run malicious ads

The disruption of the campaign was part of coordinated action from Facebook, Cloudflare, and other providers

Cyber criminals have launched a new campaign that uses 'CopperStealer' malware to steal Facebook passwords stored in Chrome, Edge, Yandex, Opera, and Firefox browsers.

According to a blog post by researchers at cyber security firm Proofpoint, threat actors used this unauthorized access to Facebook and Instagram business accounts to run malicious adverts for profit and to deliver additional malware in subsequent malvertising campaigns.

The disruption of the campaign was part of coordinated action from Facebook, Cloudflare, and other providers. The earliest discovered samples date back to July of 2019.

Proofpoint analysis uncovered additional CopperStealer versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter. The malware targets large tech platforms and service providers in an attempt to steal login credentials for some of the most popular services on the internet.

Researchers believe that Copperstealer is a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot, and Scranos. Facebook attributed the creation of SilentFade to Hong Kong-based ILikeAD Media International Company Ltd, and during the 2020 Virus Bulletin conference, disclosed it was responsible for over $4 million in damages.

Researchers discovered suspicious websites advertised as “KeyGen” or “Crack” sites, including keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net, hosting samples that have delivered multiple malware families including CopperStealer.

“These sites advertise themselves to offer “cracks”, “keygen” and “serials” to circumvent licensing restrictions of legitimate software.  However, we observed these sites ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run other malicious executables capable of installing and downloading additional payloads,” said Proofpoint researchers.

Related Resource

Remote workforce security report

Key challenges, security threats, and investment priorities of organisations during the pandemic

remote workforce security report - whitepaper from OktaDownload now

The malware also contains the ability to find and send saved browser passwords and uses stored cookies to retrieve a User Access Token from Facebook. Once the User Access Token is gathered, the malware requests several API endpoints for Facebook and Instagram to gather additional context, including a list of friends, any advertisement accounts configured for the user, and a list of pages the user has been granted access to, according to researchers.

Sherrod DeGrippo, senior director of Threat Research and Detection at Proofpoint, said that credentials make the world go round when it comes to the current threat landscape, adding that this shows the lengths that threat actors will take to steal valuable credential data. 

“Credential stealer malware, credential phish landing pages, and cookie stealing all contribute to account compromises which can then be leveraged to impersonate and launch further attacks,” she said.

“Copperstealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks. These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers.”

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senator wants social media companies held liable for spreading anti-vax lies
social media

Senator wants social media companies held liable for spreading anti-vax lies

23 Jul 2021

Most Popular

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022