Two fresh campaigns by the gang behind the CopperStealer malware, trying to spread CopperStealth and CopperPhish devices, were launched in March and April 2023.
The Water Orthrus group, which has financial motivations, is being actively watched by Trend Micro. This opponent is also thought to be responsible for the Scranos campaign, which Bitdefender announced earlier in 2019.
Water Orthrus has been operating since at least 2021 and has a history of utilizing pay-per-install (PPI) networks. They use data stolen by thief CopperStealer to divert users from websites that offer pirated software installations.
The most recent attack sequences documented by Trend Micro do not deviate significantly from the previous patterns. By being packaged as installations for free utilities on Chinese software-sharing web pages, CopperStealth gets spread.
In a study, security experts Jaromir Horejsi and Joseph C Chen described how CopperStealth spreads by installing and activating a rootkit before injecting its malware into explorer.exe and other computer programs. More functions are downloaded and carried out by these packages—additionally, the rootkit limits entry into blocklisted registry entries and the execution of particular applications and adapters.
Byte patterns associated with Chinese security program providers Huorong, Kingsoft, and Qihoo 360 are listed on the denylist for adapters.
The CopperPhish campaign, detected worldwide in April 2023, utilizes a similar process to deploy the malware. PPI systems connected to free, nameless websites that share files are utilized.
According to the researchers, visitors are redirected to a download page created by the PPI network after clicking on its advertisements, masquerading as a download link. PrivateLoader, the file that was downloaded, is in charge of installing and operating different viruses.
To do this, CopperPhish starts a rundll32 program and injects a straightforward Visual Basic program with the browser tab that accesses a malicious URL. This page prompts victims to scan a QR code for identity verification and enter a confirmation code to “restore your device’s network.”
Once the sensitive details are entered on the page, the CopperPhish malware displays a message stating “the identity verification has passed,” along with a confirmation code. The malware disables itself and removes all malicious programs on the system if given the correct authorization code. The code for authorization and credential authentication are two significant functions that improve the effectiveness of this hacking kit.
The diverse objectives of these campaigns reflect the evolution of the threat actor’s tactics, suggesting an attempt to enhance their capabilities and broaden their financial gains.
These findings come when malicious Google ads lure users into downloading fake installers for AI tools like Midjourney and OpenAI’s ChatGPT, which ultimately drop stealers like Vidar and RedLine.
In addition, a brand-new traffic-monetizing company named TrafficStealer has been identified, which takes advantage of package errors to reroute traffic to websites and produce phony advertisement clicks as a component of a profitable illegal operation.