In the following case, it is a Nullsoft Scriptable Install System (NSIS) installer, though any other regular executable could be partially overwritten in a similar way. The entry point is overwritten by a custom shellcode and an encrypted payload (second stage) is appended to the overlay at the end of the file. exe file that was unpacked from the compressed file appears to be a partially overwritten legitimate executable. We also show how these malware have been distributed with the PPI networks. Notably, both of them have sophisticated infection approaches and tactics that they use to profit from their victims. In this section, we share the analysis of CopperStealer and LNKR. This is the first time that we have seen both malware distributed at large. One of the malicious extensions is LNKR (CRX/book_helper), which has been identified in connection with a phishing kit. However, we believe that these are different campaigns that use similar tools to steal victims’ credentials.Īfter dissecting the samples of CopperStealer that we found, our analysis showed that infected systems had malicious browser extensions (we identify these in their respective sections and quick descriptions). We found that CopperStealer had many similarities with a spyware campaign in April 2019, while a recent report attributes this malware to another campaign targeting social media platforms. It is important to note that one of the installed browser plug-ins is called LNKR, which is an adware injection platform.ĬopperStealer was seen at large stealing browser cookies and credentials from victims at the end of 2019. In the following sections, we discuss our findings on CopperStealer, its modules and the browser plug-ins that it installs. The downloaded payloads that we have observed as of writing are CopperStealer, DanaBot (detected by Trend Micro as TROJ_BANLOAD.THFOAAH), and Glupteba (detected by Trend Micro as ). We observed that the domain names vary based on the platform used and the hard-coded user ID parameter.