CopperStealer Malware Crew Resurfaces with New Rootkit and Phishing Kit Modules

Home/BOTNET, Evilproxy, Exploitation, Internet Security, malicious cyber actors, Malicious extension, Malware, phishing, Security Advisory, Security Update/CopperStealer Malware Crew Resurfaces with New Rootkit and Phishing Kit Modules

CopperStealer Malware Crew Resurfaces with New Rootkit and Phishing Kit Modules

The threat actors behind the CopperStealer malware re-emerged in March and April 2023 with two new campaigns designed to deliver two new payloads called CopperStealth and CopperPhish.

Trend Micro is tracking the financially motivated group called “Water Orthrus”.CopperStealth also incorporates a task module that allows it to call a remote server and retrieve the command to be executed on the infected machine, equipping the malware to drop more payloads.

CopperPhish

The CopperPhish campaign, detected globally in April 2023, exploits a similar process to deploy the malware through P2P networks behind free and anonymous file sharing websites.

The download service, which is also offered on a pay-per-use basis, is used to retrieve and launch CopperPhish, a phishing kit responsible for collecting credit card information.The performance of Water Orthrus is based on the fact that both CopperStealth and CopperPhish share similar characteristics of source code with those of CopperStealer, raising the possibility that all three strains may have been developed by the same author.

CopperPhish starts a rundll32 program and injects a straightforward Visual Basic program with the browser tab that accesses a malicious URL. This page prompts victims to scan a QR code for identity verification and enter a confirmation code to “restore your device’s network.”

Once the sensitive details are entered on the page, the CopperPhish malware displays a message stating “the identity verification has passed,” along with a confirmation code. The malware disables itself and removes all malicious programs on the system if given the correct authorization code. The code for authorization and credential authentication are two significant functions that improve the effectiveness of this hacking kit.

IOCs

293a2adf60a94437cc0f92545b7caabdaed0a63007b51e2b3d449cdb1e00f5a8        CopperStealth
6c3995155e0e5cbb17e6f71b8d8b89d4dfc77849e869da7901a79053e8e8232b        CopperStealth
5558eaebeeeb4c5c731b531305e7c97c9cf1b1449b0466f46430aa0549c256e9        CopperStealth
ad5f59c497f423a07cfb4affc82aac408eafeeefef22f8ba25cabff2ff991754        CopperStealth
636772857bd9b88d5b530586c7008f48e61ec429fb50a82019d0505dcf994930        CopperStealth
7246dbf235f66034bd7042408f01b8670c3f45d39082fcbf5b893d7952614833        CopperStealth
73fd83a9eb267fed5a3178b75a9bff0bac9e0864daed830fddf6a8686c286cbb        CopperStealth
7fd6cb3e1648dd9d1994c65762826772ae32dc58fbc7ac51179a0b3526f1395f        CopperStealth
e3f31eabaa0b3bebe0c5152fc6097a8fbf1c6fd9e57d06fe8e9bd8860e8f07a6        CopperStealth
033ba1740ba105bf4a5081f438f46f1d7ad17a175aab132bd844edcf8e30949f        CopperStealth
ed88b019b3a8346c89aaf6ba7ce6c6be0b9a88c121312f3db9b6ebd776a9af5a        CopperStealth
ecdd5adb40297ec29c0e8a8f50223069db3d32c2a1d223adfb52c3a695d41fa2        CopperStealth
f916f4d1d8c1df0d31b8d18b7c94109b4303412880538f64ec3eb2e257732ead        CopperStealth
53f4306d30b4f7b731c0cd7be6df39f02613fb4c0e9b5aa85f754e145dca080c        CopperStealth
139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988        Rootkit (CopperStealth campaign)
5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d        Rootkit (CopperStealth campaign)
6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77        Rootkit (CopperStealth campaign)
32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d        Rootkit (CopperStealth campaign)
50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76        Rootkit (CopperStealth campaign)
770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a        Rootkit (CopperStealth campaign)
86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62        Rootkit (CopperStealth campaign)
bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df        Rootkit (CopperStealth campaign)
06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f        Rootkit (CopperStealth campaign)
6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724        Rootkit (CopperStealth campaign)
f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a        Rootkit (CopperStealth campaign)
e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12        Rootkit (CopperStealth campaign)
e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d        Rootkit (CopperStealth campaign)
4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4        Rootkit (CopperStealth campaign)
ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620        Rootkit (CopperStealth campaign)
fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5        Rootkit (CopperStealth campaign)
f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280        Rootkit (CopperStealth campaign)
8c01578891b08d168c1919c4f2ed4fdac991e063263bbb63963ea616f5d5333e        CopperPhish
39c9f743528eb317340cdd53a65630785b1168f6f0a6b253ae2518fb450f0b81        CopperPhish
28d1d1c6fb23ef5f92b16e2701c49bb34b4a81af11f95ff5674d291c5ffb3b28        CopperPhish
07cccf04854a58e43a5043e240b662f84ac512b2d2432b1b7e4cd5465d1dde33        CopperPhish
bff741d972e1dac7fa1197ac9365106b49bd07cea868d69c660aa569fe75f005        CopperPhish
036a689038dfaa195c899d57a4d3fdcf5f99b91bdbf9739a4d05f9bd1dcfe15e        CopperPhish
65a632de69bcb62c8f344a9cc0951d3c599301ca6d8aed66bbdab9f1b977799a        CopperPhish
971259ae3eb7dc843c6872b22154e5cf74e48ca35fb895145df63fa50e8e8792        CopperPhish
58eb8b6fd34406316438e2e17ed3c44b6c26695b28c71db7b062a63a116ee33b        CopperPhish
0a596289cb9c6dcb065d96fb33c1e9509f62ff42b00a0d679bb8b9e64dce8ea5        CopperPhish
fcf49a50a3b86adeea6b1cfbb0d86dfed774673a5900570878197f822f6f2126        CopperPhish
8c01578891b08d168c1919c4f2ed4fdac991e063263bbb63963ea616f5d5333e        CopperPhish
6f52f36d84ea04d00f307d5aafedcda98118d140c1ac1af0525ecb374c0f5cf2        CopperPhish
688de5bbd2cb1e5556304002c1b7f5fdfe147251217f93b8733017161a834fa5        CopperPhish
1a1a70fd2c5a012c4e8547713a3abf1dc2dbd05a81ab1fcca4ab1ad71ad36979        CopperPhish
15430150c081728440618aac046cc1d50a4391b55fa7f8fa66325d9b462e57c3        CopperPhish
acac571f03810d6e8408d4df25fda741cf492c7d842113155034da1f871c10ea        CopperPhish
f340e0ef5f90024b9626a83c2c1eed2011417372073088169d7c2c7ec842f228        CopperPhish
699873a949ca1e3a15f8428d1e28e3bdf7b95ec1606e10785f3f51b118e2669e        CopperPhish
dda6bc4618cd6f723d6ad5f45f171a075c208b5b2693a35f24dd6607a3f167f0        CopperPhish

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!