Water Orthrus New Campaigns Deliver Rootkit and Phishing Modules
Water Orthrus has been active recently with two new campaigns. CopperStealth uses a rootkit to install malware on infected systems, while CopperPhish steals credit card information. This blog will provide the structure of the campaign and how they work.
Since 2021, we have been tracking the activities of a threat actor we called Water Orthrus, which distributed CopperStealer malware via pay-per-install (PPI) networks. The threat actor has upgraded and modified the malware multiple times for different purposes, such as injecting network advertisements, acquiring personal information, and stealing cryptocurrency. We believe that they are associated with the threat campaign reported as “Scranos” in 2019.
Figure 1. CopperStealth infection chain
In March 2023, we observed two campaigns delivering new malware that we named CopperStealth and CopperPhish. Both malware have characteristics that are similar to those of CopperStealer and are likely developed by the same author, leading us to believe that these campaigns are likely Water Orthrus’ new activities.
Figure 2. CopperPhish infection chain
This blog post discusses our analysis of CopperStealth’s and CopperPhish’s infection chains, and how they are similar to Water Orthrus.