CopperStealer malware hijacks Facebook business accounts to run malicious ads

The disruption of the campaign was part of coordinated action from Facebook, Cloudflare, and other providers

Cyber criminals have launched a new campaign that uses 'CopperStealer' malware to steal Facebook passwords stored in Chrome, Edge, Yandex, Opera, and Firefox browsers.

According to a blog post by researchers at cyber security firm Proofpoint, threat actors used this unauthorized access to Facebook and Instagram business accounts to run malicious adverts for profit and to deliver additional malware in subsequent malvertising campaigns.

The disruption of the campaign was part of coordinated action from Facebook, Cloudflare, and other providers. The earliest discovered samples date back to July of 2019.

Proofpoint analysis uncovered additional CopperStealer versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter. The malware targets large tech platforms and service providers in an attempt to steal login credentials for some of the most popular services on the internet.

Researchers believe that Copperstealer is a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot, and Scranos. Facebook attributed the creation of SilentFade to Hong Kong-based ILikeAD Media International Company Ltd, and during the 2020 Virus Bulletin conference, disclosed it was responsible for over $4 million in damages.

Researchers discovered suspicious websites advertised as “KeyGen” or “Crack” sites, including keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net, hosting samples that have delivered multiple malware families including CopperStealer.

“These sites advertise themselves to offer “cracks”, “keygen” and “serials” to circumvent licensing restrictions of legitimate software.  However, we observed these sites ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run other malicious executables capable of installing and downloading additional payloads,” said Proofpoint researchers.

Related Resource

Remote workforce security report

Key challenges, security threats, and investment priorities of organisations during the pandemic

remote workforce security report - whitepaper from OktaDownload now

The malware also contains the ability to find and send saved browser passwords and uses stored cookies to retrieve a User Access Token from Facebook. Once the User Access Token is gathered, the malware requests several API endpoints for Facebook and Instagram to gather additional context, including a list of friends, any advertisement accounts configured for the user, and a list of pages the user has been granted access to, according to researchers.

Sherrod DeGrippo, senior director of Threat Research and Detection at Proofpoint, said that credentials make the world go round when it comes to the current threat landscape, adding that this shows the lengths that threat actors will take to steal valuable credential data. 

“Credential stealer malware, credential phish landing pages, and cookie stealing all contribute to account compromises which can then be leveraged to impersonate and launch further attacks,” she said.

“Copperstealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks. These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers.”

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senator wants social media companies held liable for spreading anti-vax lies
social media

Senator wants social media companies held liable for spreading anti-vax lies

23 Jul 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021