This vicious malware will steal your Facebook, Google and Apple passwords

(Image credit: Shutterstock)

Researchers at the cybersecurity firm Proofpoint have discovered a new malware strain capable of stealing user credentials from Google, Facebook, Amazon, Apple and other online services.

The malware itself has been given the name CooperStealer by the researchers and it is a password and cookie stealer that is in active development which also contains a download feature that allows its operators to deliver additional malicious payloads to infected devices.

At the same time though, the threat actors behind this malware strain have used compromised accounts in order to run malicious ads and deliver other malware in malvertising campaigns.

The earliest samples of CooperStealer date back to July of 2019 and during its investigation, Proofpoint analyzed a sample that targets business and advertiser accounts on Facebook and Instagram. However, the firm also identified additional versions of the malware which target Bing, PayPal, Tumblr and Twitter.

CooperStealer malware

During its investigation, Proofpoint noticed that CooperStealer utilizes many of the same targeting and delivery methods as the Chinese-sourced malware family SilentFade which Facebook first reported in 2019 and was responsible for over $4m in damages. For this reason, the firm believes that CooperStealer is a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot and Scranos.

CooperStealer itself is distributed on suspicious websites advertised as KeyGen and crack sites such as keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net. While these sites present themselves as being able to help users circumvent the licensing restrictions of legitimate software, they ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run malicious executables capable of downloading and installing additional payloads.

Proofpoint also worked with researchers at Facebook, Cloudflare and other service provides during its investigation to coordinate disruptive action. For instance, Cloudflare placed a warning interstitial page in front of the malicious domains and created a sinkhole for two of the sites before they could be registered by the threat actor.

A sinkhole is a method used to limit an attacker's ability to collect data on victims while also enabling researchers to gain visibility into victim demographics. During the sinkhole's first 24 hours of operation, it logged 69,992 HTTP requests from 5,046 unique IPs originating from 159 different countries with the top five countries based on unique infections being India, Indonesia, Brazil, Pakistan and The Philippines.

The easiest way to prevent falling victim to the CooperStealer malware is to avoid visiting KeyGen and crack sites to pirate software.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.