Updated CopperStealer Uses Pastebin for C2 and Sends Stolen Data to Telegram
Trend Micro specialists have analyzed a new version of CopperStealer and discovered significant changes in its command-and-control (C2) infrastructure. The malware operators have abandoned DGA and CDN proxies, now hosting an encrypted configuration file on Pastebin and hiding IP addresses using the fast flux method. CopperStealer now exfiltrates stolen data via Telegram.
According to experts, the Windows-based CopperStealer has been used in attacks since late 2019. It spreads through redirects on pirate websites using a pay-per-install (PPI) scheme. To protect the malicious payload bundled with cracked software from detection, attackers use encryption and compression (ZIP).
The infostealer can also roll back its execution in sandboxes, under debuggers, and on computers that use Chinese as the default language. Its main goal is to steal credentials and cookies from browsers. Last year, CopperStealer was particularly interested in Facebook and Google accounts to spread unwanted ads and install adware browser extensions.
Trend Micro’s analysis showed that the updated malware still uses shellcode as an entry point and an XOR-based crypter to hide the second-stage payload—a DLL packed with UPX. The dropper contains two files compressed with 7-Zip: build.exe and shrdp.exe. The first component is designed to steal data from browsers, while the second provides access to the infected machine via RDP.
When launched, build.exe installs its certificate in the current user’s folder, then extracts the MachineGuid value from the Windows registry and uses it as the name of the folder where stolen cookies and passwords will be saved from the following browsers:
- Brave
- Chrome
- Chromium
- Edge
- Firefox
- Opera
- Yandex Browser
The malware is also interested in messengers (Telegram, Discord, Elements), email clients (Outlook, Thunderbird), and Steam. CopperStealer archives all stolen data, password-protects it, and uploads it to a dedicated Telegram channel, sending the operator a notification upon successful completion.
The shrdp.exe module decrypts the C2 address stored on Pastebin, registers the infected machine’s ID, and periodically signals the server that it’s ready to execute commands. The Pastebin account was created in March under the name Javalinkcrash and contains a single text fragment, which has been requested 23,000 times—an indicator of the number of infections with the new CopperStealer version.
The supported tasks for shrdp.exe include install and killme:
- install: Creates a new hidden user account on the machine, adds it to the admin and RDP groups, disables the firewall and Network Level Authentication (NLA), and then extracts and installs an RDP shell, OpenVPN, the MiniThunderPlatform downloader utility, and n2n (a tool for creating virtual networks). To hide these files from Microsoft Defender, shrdp.exe adds the entire folder to the exclusion list.
- killme: Forces termination of running processes, deletes files and user accounts created or modified during the install process.
The change in CopperStealer’s command infrastructure was likely prompted by the compromise of its previous setup. Last year, cybersecurity experts, with support from major service providers, conducted a sinkhole operation to halt the further spread of the infostealer, which had reached 159 countries (mainly India, Indonesia, Brazil, Pakistan, and the Philippines).
At that time, the malware searched for C2 servers by generating domains via DGA, and attackers used Cloudflare’s proxy capabilities to hide their servers. Now, CopperStealer obtains the C2 address by accessing a Pastebin page, and instead of CDN proxies, its operators use fast flux—a clandestine DNS service that allows dynamic re-registration of domains/IPs and adds a proxy layer.