The financially motivated threat group known as Water Orthrus, responsible for CopperStealer and Scranos campaigns, has launched two new campaigns named CopperStealth and CopperPhish. Water Orthrus has a history of using pay-per-install networks to distribute CopperStealer, an information stealer, and previously distributed malicious browser extensions.
In the recent campaigns, CopperStealth is distributed through Chinese software-sharing websites, utilizing a rootkit and multiple payloads, while CopperPhish deploys a phishing kit via free file-sharing websites to harvest credit card information.
CopperStealth, delivered as installers for free tools, exhibits an infection chain involving a rootkit that injects its payload into system processes. It blocks access to blocklisted registry keys and prevents certain executables and drivers from running.
CopperPhish, distributed through PPI networks, uses a similar process and leverages a downloader service to launch a phishing kit that prompts victims to scan a QR code for identity verification and enter a confirmation code, enabling the harvesting of sensitive data.
The similarities in source code characteristics between CopperStealth, CopperPhish, and CopperStealer suggest a potential connection and common authorship. The campaigns highlight the threat actor’s evolution in tactics, expanding their capabilities and targeting financial gains.
These developments coincide with the discovery of fake installers for AI tools and the emergence of the TrafficStealer service that redirects traffic for illicit ad clicks.
