Executive Summary

Security researchers at ThreatFabric have identified a significant evolution of the CopperSteal information-stealing malware. The new version (V2) has been specifically re-engineered to target and steal credentials from major cloud service providers, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. Delivered via trojanized software, the malware actively scans infected systems for CLI configuration files and browser session data to harvest API keys and access tokens. The stolen credentials are then sold on dark web forums, providing threat actors with a direct pathway into sensitive corporate cloud environments. This shift in targeting from personal accounts to high-value enterprise cloud infrastructure represents a critical threat to organizations, potentially leading to widespread data breaches and follow-on attacks.

Threat Overview

• Malware: CopperSteal (V2)
• Type: Information Stealer (Infostealer)
• Primary Targets: Cloud credentials (API keys, secret keys, session cookies) for AWS, Azure, and Google Cloud.
• Delivery Method: Trojanized software, often disguised as developer tools.
• Impact: Credential theft, unauthorized cloud access, potential for data breach, ransomware, and corporate espionage.

The evolution of CopperSteal demonstrates a clear trend of malware authors adapting to modern enterprise IT. By targeting cloud credentials, attackers bypass traditional perimeter defenses and gain direct access to an organization's most critical data and infrastructure.

Technical Analysis

The malware operates in a series of calculated steps:

1. Initial Access (T1189 - Drive-by Compromise): The primary delivery vector is through trojanized software downloaded from untrustworthy sources. Developers and IT administrators are key targets, as they are more likely to download tools and have valuable credentials stored on their machines.
2. Execution & Persistence: Once the user runs the malicious installer, the CopperSteal payload is dropped and executed. It may establish persistence to ensure it continues to run and steal data over time.
3. Credential Access (T1552.005 - Cloud Credentials): This is the core function of CopperSteal V2. It has dedicated modules that scan for:
   • CLI Configuration Files: It searches for default file paths used by cloud CLIs, such as ~/.aws/credentials for AWS and ~/.azure/azureProfile.json for Azure.
   • Browser Data: It inspects browser databases (e.g., SQLite files for Chrome/Firefox) to find and steal active session cookies for cloud management consoles.
   • Environment Variables: It scans for environment variables that may contain hardcoded access keys.
4. Collection (T1560 - Archive Collected Data): The stolen credentials and cookies are collected and often compressed into an archive.
5. Exfiltration (T1041 - Exfiltrate Data Over C2 Channel): The data is sent to an attacker-controlled command-and-control (C2) server via an encrypted channel to avoid detection by network monitoring tools.

Impact Assessment

The theft of cloud credentials can be catastrophic:

• Complete Cloud Environment Compromise: An attacker with admin-level credentials can control the entire cloud infrastructure, including virtual machines, databases, and storage.
• Massive Data Breach: Attackers can access and exfiltrate sensitive data stored in cloud databases (e.g., Amazon RDS) and storage buckets (e.g., Amazon S3).
• Ransomware Deployment: Stolen credentials can be used to deploy ransomware across the entire fleet of cloud servers, crippling operations.
• Financial Abuse: Attackers can spin up expensive resources, such as cryptocurrency miners (T1496 - Resource Hijacking), leading to enormous bills.
• Supply Chain Attacks: If the compromised account belongs to a developer, attackers could potentially inject malicious code into the software development lifecycle.

Detection & Response

1. Endpoint Detection: Use EDR solutions to monitor for suspicious file access patterns, such as an unknown process reading from .aws or .azure directories. Create rules to detect the execution of known trojanized software.
2. Cloud Security Posture Management (CSPM): Deploy CSPM tools to monitor for anomalous activity within the cloud environment. This includes detecting logins from unusual IP addresses or suspicious API calls made with the stolen credentials.
3. Behavioral Analytics: Use UEBA to detect when a developer's account is used to perform actions outside of their normal behavior, such as accessing a production database they don't typically manage.
4. Threat Intelligence: Integrate threat intelligence feeds that contain IOCs related to CopperSteal C2 servers and block them at the network perimeter.

Mitigation

Protecting against infostealers like CopperSteal requires a focus on endpoint and identity security:

1. Restrict Software Installation (M1033 - Limit Software Installation): Prevent users, especially developers, from downloading and installing software from untrusted sources. Use application allowlisting to enforce this.
2. Cloud Credential Best Practices: Avoid storing long-lived static credentials (API keys) on developer workstations. Instead, use temporary credentials obtained via IAM roles and identity federation (e.g., assuming a role from an SSO session). This is a form of M1026 - Privileged Account Management.
3. Endpoint Hardening: Secure developer workstations as high-value assets. Implement strict security policies, EDR, and regular vulnerability scanning.
4. Multi-Factor Authentication (MFA): While CopperSteal targets session cookies that can bypass MFA, enforcing MFA on all cloud accounts remains a critical layer of defense, especially for console logins. See M1032 - Multi-factor Authentication.