Operation Copperfield

About Operation Copperfield

On December 11, 2017 at 01:21 AM, a night-shift employee working at an around-the-clock critical infrastructure facility located in the Middle East plugged his USB drive into a shared workstation so that he could watch the movie La La Land on his break. After about 30 minutes, he was interrupted by a call and had to get back to work. He didn’t know that he had launched a sequence of events that could have been disastrous for his organization—along with the movie, he had launched a well-hidden attack by foreign actors that Nyotron has named Operation Copperfield.


Why the Name Copperfield?

The script-based malware attack leveraged Windows Script Host—an automation tool included in Windows. The Visual Basic Script used to carry out the attack is a variant of a 4-year old attack known as H-worm or Houdini, the malware creator’s alias. This is an old attack that slipped by multiple security products (McAfee Endpoint Security and Malwarebytes) installed on the customer’s endpoints. Nyotron renamed it Copperfield, in honor of Houdini’s well-known contemporary David Copperfield, to recognize the malware’s new use of obfuscation and advanced masquerading techniques.

How Does Copperfield Work?

The malware author obfuscated the real content of the script using a $25 tool called BronCoder. This crypter tool changed the structure and, hence, the hash of the malware so that it didn’t match previously seen variants. This is how incredibly easy it is to bypass leading antivirus products. In fact, only 27 out of 58 anti-malware products (including all leading Next-generation Antivirus products) were able to detect this malware.

Copperfield’s Amazing Disappearing Act

Copperfield has a unique ability to hide on a USB drive and, at the same time, ensure that it’ll be executed without the user noticing anything unusual. This malware hides all original files found on the drive by applying hidden system attributes while creating LNK files containing malware that have the same names and even the same icons as the original files. LNK is the extension of a shortcut file used by Microsoft Windows to point to an executable file. So the user sees the expected files with same icons next to them. When the user double-clicks the file, it first executes the malware (in a silent fashion) and then runs the original file—a user perceives no change in behavior. Once on an organization’s device, Copperfield, a Remote Access Trojan (RAT), will have full control over the machine—including the ability to:

Send information about the machine (including antivirus products installed) to the attacker
Update itself
Upload any file from the machine to the attacker’s server
Run ANY command on the machine (aka arbitrary code execution)
Most importantly, download and run ANY additional executable (e.g., additional malware, keyloggers, screen grabbers and audio recorders)
Infect a USB drive to spread an infection to other devices

How Nyotron Protects from Copperfield

Nyotron’s PARANOID product, applying an OS-Centric Positive Security model, successfully blocked all damage from Copperfield at the customer’s site. By focusing on the damage stage of the attack kill-chain, PARANOID understands all the finite ways attackers can do damage and prevents them, no matter what attack vector or method is used, even devious masquerading used in Operation Copperfield.


Get More Secrets Behind Operation Copperfield

Download our detailed Operation Copperfield Report to get a step-by-step review of how this malware works and how Nyotron’s PARANOID stopped it in its tracks using an OS-Centric Positive Security model.