CopperStealer Malware Crew Returns with Advanced Rootkit and Phishing Kit Modules

Reading Time: ( Word Count: )

May 16, 2023

Two fresh campaigns by the gang behind the CopperStealer malware, trying to spread CopperStealth and CopperPhish devices, were launched in March and April 2023. 

The Water Orthrus group, which has financial motivations, is being actively watched by Trend Micro. This opponent is also thought to be responsible for the Scranos campaign, which Bitdefender announced earlier in 2019.

Water Orthrus has been operating since at least 2021 and has a history of utilizing pay-per-install (PPI) networks. They use data stolen by thief CopperStealer to divert users from websites that offer pirated software installations.

The most recent attack sequences documented by Trend Micro do not deviate significantly from the previous patterns. By being packaged as installations for free utilities on Chinese software-sharing web pages, CopperStealth gets spread.

In a study, security experts Jaromir Horejsi and Joseph C Chen described how CopperStealth spreads by installing and activating a rootkit before injecting its malware into explorer.exe and other computer programs. More functions are downloaded and carried out by these packages—additionally, the rootkit limits entry into blocklisted registry entries and the execution of particular applications and adapters.

Byte patterns associated with Chinese security program providers Huorong, Kingsoft, and Qihoo 360 are listed on the denylist for adapters.

Also Read: “11 New Vulnerabilities Expose OT Networks in Industrial Cellular Routers.”

The CopperPhish campaign, detected worldwide in April 2023, utilizes a similar process to deploy the malware. PPI systems connected to free, nameless websites that share files are utilized.

According to the researchers, visitors are redirected to a download page created by the PPI network after clicking on its advertisements, masquerading as a download link. PrivateLoader, the file that was downloaded, is in charge of installing and operating different viruses.

To do this, CopperPhish starts a rundll32 program and injects a straightforward Visual Basic program with the browser tab that accesses a malicious URL. This page prompts victims to scan a QR code for identity verification and enter a confirmation code to “restore your device’s network.”

Once the sensitive details are entered on the page, the CopperPhish malware displays a message stating “the identity verification has passed,” along with a confirmation code. The malware disables itself and removes all malicious programs on the system if given the correct authorization code. The code for authorization and credential authentication are two significant functions that improve the effectiveness of this hacking kit.

The diverse objectives of these campaigns reflect the evolution of the threat actor’s tactics, suggesting an attempt to enhance their capabilities and broaden their financial gains.

These findings come when malicious Google ads lure users into downloading fake installers for AI tools like Midjourney and OpenAI’s ChatGPT, which ultimately drop stealers like Vidar and RedLine.

In addition, a brand-new traffic-monetizing company named TrafficStealer has been identified, which takes advantage of package errors to reroute traffic to websites and produce phony advertisement clicks as a component of a profitable illegal operation. 

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *