This vicious malware will steal your Facebook, Google and Apple passwords

Proofpoint, Facebook and Cloudflare worked together to limit the spread of the CooperStealer malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers at the cybersecurity firmProofpointhave discovered a newmalwarestrain capable of stealing user credentials fromGoogle, Facebook,Amazon,Appleand other online services.

The malware itself has been given the nameCooperStealerby the researchers and it is a password and cookie stealer that is in active development which also contains a download feature that allows its operators to deliver additional malicious payloads to infected devices.

At the same time though, the threat actors behind this malware strain have used compromised accounts in order to runmalicious adsand deliver other malware inmalvertising campaigns.

The earliest samples of CooperStealer date back to July of 2019 and during its investigation, Proofpoint analyzed a sample that targets business and advertiser accounts on Facebook and Instagram. However, the firm also identified additional versions of the malware which targetBing, PayPal, Tumblr and Twitter.

CooperStealer malware

During its investigation, Proofpoint noticed that CooperStealer utilizes many of the same targeting and delivery methods as the Chinese-sourced malware family SilentFade which Facebook first reported in 2019 and was responsible for over $4m in damages. For this reason, the firm believes that CooperStealer is a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot and Scranos.

CooperStealer itself is distributed on suspicious websites advertised as KeyGen andcrack sitessuch as keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net. While these sites present themselves as being able to help users circumvent the licensing restrictions of legitimate software, they ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run malicious executables capable of downloading and installing additional payloads.

Proofpoint also worked with researchers at Facebook, Cloudflare and other service provides during its investigation to coordinate disruptive action. For instance,Cloudflareplaced a warning interstitial page in front of the malicious domains and created a sinkhole for two of the sites before they could be registered by the threat actor.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

A sinkhole is a method used to limit an attacker’s ability to collect data on victims while also enabling researchers to gain visibility into victim demographics. During the sinkhole’s first 24 hours of operation, it logged 69,992 HTTP requests from 5,046 unique IPs originating from 159 different countries with the top five countries based on unique infections being India, Indonesia, Brazil, Pakistan and The Philippines.

The easiest way to prevent falling victim to the CooperStealer malware is to avoid visiting KeyGen and crack sites to pirate software.

ViaBleepingComputer

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Nokia confirms data breach leaked third-party code, but its data is safe

Rising AI threats are making firms turn back to human intelligence

Google is testing interactive voice searches with results that update in real time