Regular Amazon Online Shopper? Facebook User? Beware of CooperStealer Malware

reading time Reading Time: 9 minutes

Don’t know about you but it hasn’t been even a week since I ordered something from Amazon.ca, and I was browsing through my Facebook feed over breakfast this AM. There are a few people who’ve sworn off social media these days, and in truth that’s often a good thing. But there’s all sorts of us who have Google as big parts of our digital lives and many of those same people take advantage of much of what Apple has to offer too.

That’s not going to change, but what may have to change is the way we all keep our guards up a little bit more when taking advantage of these conveniences or taking in social media in moderation. That’s for the following reason; there’s plenty of malware out there looking for any and all opportunities to get in where they shouldn’t, but none of them are drumming up as much caution quite like the CooperStealer.

Sounds fancy, and it has nothing to do with a digital thief stealing barrels or anything of the sort. What it DOES have the ability to do is steal credentials. And more specifically, login and account credentials for Facebook, Google, and Apple passwords. While it’s debatable whether you could go without Facebook in in the interest of keeping yourself safe from this, you likely won’t see it the same way when it comes to Google and Apple accounts.

Part of being a quality Canadian web hosting provider is keeping our customers in the know about developments that might affect them, and considering what we’ve laid out here this CooperStealer malware definitely meets the criteria for that. So let’s look at it in greater detail with our entry for this week and explain further about why this is something you’ll want to be aware of and then conclude with tips about how you can make yourself less at risk.

Hunger for Cookies Too

This malware we’re discussing here today was given the name CooperStealer by researchers because it is both a password and cookie stealer that is in active development. Plus, another big part of the potential problem is that it comes with a download feature that allows its operators to deliver additional malicious payloads to infected devices.

The infection seriousness doesn’t end there. Threat actors behind this malware strain have used compromised accounts in order to run malicious ads and conduct malware advertising campaigns that have been given the term ‘malvertising’ recently.

But this isn’t exactly new. Early versions of the CooperStealer were seen as early as the summer of 2019. It was seen to effectively target Facebook and Instagram account credentials while also being able to target Bing, PayPal, Tumblr and Twitter.

Building on SilentFade and More

It’s also been determined that CooperStealer utilizes many of the same targeting and delivery methods as SilentFade, the Chinese-sourced malware which ended up on Facebook’s security radar in 2019 too. It ended up being the cause of over $4m in damages, and so the alarms going off about CooperStealer are legit. Industry and malware experts believe that CooperStealer is a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot and Scranos.

CooperStealer may also be implemented into suspicious websites advertised as KeyGen and crack sites such as keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net. The reason people are at these sites at all is because they present themselves as being an alternative to circumventing the licensing restrictions of legitimate software.

The truth of the matter, however, is that these Potentially Unwanted Programs/Applications (PUP/PUA) are much more frequently in existence to simply deliver malicious executables capable of downloading and installing additional payloads. Take note of them, and avoid them unless you see these resources as being worth the risk.

Good Sinkholes

The good news is that the people who you’d think would need to be proactive about this threat are doing just that. Researchers at Facebook, Cloudflare and other service providers have worked to develop co-ordinated disruptive action. The best examples being a warning interstitial page that presents itself in front of the malicious domains, and the development of ‘sinkholes’ for select sites that are known to be favoured by these threat actors behind the CooperStealer.

Now it’s true that most people don’t envision anything good when thinking of a sinkhole, but in this case it’s a good thing and not a huge falling away of the earth that devours homes, vehicles and whatever else has the misfortune of being immediately above them when they’re about to do their thing.

No, the type of ‘sinkhole’ that we’re talking about here is a method used to limit an attacker's ability to collect data on victims while also enabling researchers to gain visibility into victim demographics. During a sinkhole's first 24 hours of operation they can log hundreds of thousands of HTTP requests from unique IPs originating from hundreds of different countries around the world.

Based on this industry experts were able to determine the top five countries based on unique infections were India, Indonesia, Brazil, Pakistan, and The Philippines.

Don’t know about you but it hasn’t been even a week since I ordered something from Amazon.ca, and I was browsing through my Facebook feed over breakfast this AM. There are a few people who’ve sworn off social media these days, and in truth that’s often a good thing. But there’s all sorts of us who have Google as big parts of our digital lives and many of those same people take advantage of much of what Apple has to offer too.

That’s not going to change, but what may have to change is the way we all keep our guards up a little bit more when taking advantage of these conveniences or taking in social media in moderation. That’s for the following reason; there’s plenty of malware out there looking for any and all opportunities to get in where they shouldn’t, but none of them are drumming up as much caution quite like the CooperStealer.

Sounds fancy, and it has nothing to do with a digital thief stealing barrels or anything of the sort. What it DOES have the ability to do is steal credentials. And more specifically, login and account credentials for Facebook, Google, and Apple passwords. While it’s debatable whether you could go without Facebook in in the interest of keeping yourself safe from this, you likely won’t see it the same way when it comes to Google and Apple accounts.

Part of being a quality Canadian web hosting provider is keeping our customers in the know about developments that might affect them, and considering what we’ve laid out here this CooperStealer malware definitely meets the criteria for that. So let’s look at it in greater detail with our entry for this week and explain further about why this is something you’ll want to be aware of and then conclude with tips about how you can make yourself less at risk.

Hunger for Cookies Too

This malware we’re discussing here today was given the name CooperStealer by researchers because it is both a password and cookie stealer that is in active development. Plus, another big part of the potential problem is that it comes with a download feature that allows its operators to deliver additional malicious payloads to infected devices.

The infection seriousness doesn’t end there. Threat actors behind this malware strain have used compromised accounts in order to run malicious ads and conduct malware advertising campaigns that have been given the term ‘malvertising’ recently.

But this isn’t exactly new. Early versions of the CooperStealer were seen as early as the summer of 2019. It was seen to effectively target Facebook and Instagram account credentials while also being able to target Bing, PayPal, Tumblr and Twitter.

Building on SilentFade and More

It’s also been determined that CooperStealer utilizes many of the same targeting and delivery methods as SilentFade, the Chinese-sourced malware which ended up on Facebook’s security radar in 2019 too. It ended up being the cause of over $4m in damages, and so the alarms going off about CooperStealer are legit. Industry and malware experts believe that CooperStealer is a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot and Scranos.

CooperStealer may also be implemented into suspicious websites advertised as KeyGen and crack sites such as keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net. The reason people are at these sites at all is because they present themselves as being an alternative to circumventing the licensing restrictions of legitimate software.

The truth of the matter, however, is that these Potentially Unwanted Programs/Applications (PUP/PUA) are much more frequently in existence to simply deliver malicious executables capable of downloading and installing additional payloads. Take note of them, and avoid them unless you see these resources as being worth the risk.

Good Sinkholes

The good news is that the people who you’d think would need to be proactive about this threat are doing just that. Researchers at Facebook, Cloudflare and other service providers have worked to develop co-ordinated disruptive action. The best examples being a warning interstitial page that presents itself in front of the malicious domains, and the development of ‘sinkholes’ for select sites that are known to be favoured by these threat actors behind the CooperStealer.

Now it’s true that most people don’t envision anything good when thinking of a sinkhole, but in this case it’s a good thing and not a huge falling away of the earth that devours homes, vehicles and whatever else has the misfortune of being immediately above them when they’re about to do their thing.

No, the type of ‘sinkhole’ that we’re talking about here is a method used to limit an attacker's ability to collect data on victims while also enabling researchers to gain visibility into victim demographics. During a sinkhole's first 24 hours of operation they can log hundreds of thousands of HTTP requests from unique IPs originating from hundreds of different countries around the world.

Based on this industry experts were able to determine the top five countries based on unique infections were India, Indonesia, Brazil, Pakistan, and The Philippines.

In the bigger picture, these days there are more different types of malware out there than ever before and there’s never been a higher level of risk from them. If you think that little old you isn’t going to be at risk yourself then there’s plenty of reasons to rethink that position.

You may also like: