top of page

CopperStealer Malware Targets Facebook, Apple, Amazon and Google

CopperStealer, a malware that until now has gone undocumented has been quietly hijacking online accounts of advertisers and users of Facebook, Apple, Amazon, Google and other web giants since July 2019 and then using them for nefarious activity, researchers have found. According to Proofpoint's latest research on CopperStealer, the malware contains the ability to find and send saved browser passwords. The following Internet browsers are searched specifically for Facebook saved credentials:

  • Chrome

  • Edge

  • Yandex

  • Opera

  • Firefox

In addition to the saved browser passwords, the malware uses stored cookies to retrieve a User Access Token from Facebook. Once the User Access Token is gathered, the malware requests several API endpoints for Facebook and Instagram to gather additional context, including a list of friends, any advertisement accounts configured for the user and a list of pages the user has been granted access.

Malware experts weighed-in on the dangers of CopperStealer and what organizations can do to mitigate the threat.

Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows:

“CopperStealer represents an extremely capable malware, providing its users a wide variety of options to exfiltrate sensitive data and drop additional malware. Its target of choice, which features several different social media providers, likely represents the malware operators' efforts to takeover targeted accounts that threat actors can use for further malicious purposes.

Threat actors from the Peoples Republic of China (PRC) are attributed to the creation of CopperStealer. They have previously used compromised social media accounts to spread misinformation and influence operations on PRC events of strategic importance. Examples include the 2019 Hong Kong protests, which described the events as 'riots funded by the CIA.' It is realistically possible that there are similar motivations behind the CopperStealer campaign, using the accounts to spread misinformation.

The actions taken by Proofpoint and service providers will result in a significant short-term (1-3 month) disruption to this campaign, however replacing infrastructure should be relatively simple for the responsible threat actors. Delivery methods for CopperStealer rely on users interacting with torrent sites offering free versions of legitimate software, which are attractive to avoid costly licensing fees. Users should avoid interacting and downloading software from any unofficial sites, whether on a corporate or personal website.”

Michael Isbitski, Technical Evangelist at Salt Security:

“Harvesting of user credentials or authenticated sessions in the form of cookies and tokens is a common tool of the trade of attackers with keyloggers, cookie catchers, and password stealers. This is a big reason we commonly advise that while authentication and authorization mechanisms are critical to API security, it is one piece of a larger puzzle.

Attackers frequently target weak or broken authentication or authorization mechanisms. In this case, the malware harvests stored credentials within the user’s web browser engine, but it also attempts to use stored cookies in the user’s browser to fetch authentication tokens for that user from social media platforms like Facebook and Instagram via the web APIs of those providers. Variants of the malware also appear to contact other cloud services like Apple, AWS and Google in similar fashion, presumably also via web API channels.

This would likely appear as legitimate traffic since the malware is using the web browser engine to request authentication tokens to social media services where the user is legitimate and authorized.

Be careful of extensions and plugins you install into your desktop or mobile web browsers. We see these types of issues frequently in the mobile app space. The operators of mobile app stores (Apple and Google) go to great lengths to scan and review the many new apps being published daily. Security vetting of browser plugins is much less common though, and there is still work to be done to control those plugin ecosystems.”

Joseph Carson, chief security scientist and Advisory CISO at Thycotic:

“This once again demonstrates that cyber criminals continue to target credentials and cookies in order to gain access to victims online accounts, or even latterly move into their employers. Right now, it’s not clear whether the accounts are being sold on the darknet to other cybercriminals that could later be abused and targeted with ransomware or that the attackers are using them directly. Malware continues to evolve, and once a new variant is available, it is quickly updated with new techniques, such as stealing credentials.

CopperStealer is known to steal passwords from well-known browsers and this is a reminder that storing sensitive data within the browser is a major security risk, especially if employees become victims of this malware. This could lead to the criminals gaining access to your organization. While storing non-sensitive data in a browser is OK, it is important that organizations move beyond password managers, such as those in browsers. They should move to privileged access security that adds more protection and additional security controls. It’s important to help move passwords into the background and that they are not the only security control protecting your business.”


bottom of page