Cybersecurity researchers have identified a new malware campaign targeting individuals searching for pirated software. This campaign introduces a clipper malware known as MassJacker, which poses a significant threat to cryptocurrency users by intercepting and altering clipboard data.

Understanding Clipper Malware

Clipper malware is designed to manipulate clipboard data, often with the intent of stealing cryptocurrency. When a user copies a cryptocurrency wallet address, the malware replaces it with an address controlled by the attacker, redirecting funds to the hacker.

How Clipper Malware Operates

This type of malware operates stealthily, monitoring clipboard activity and modifying copied text in real-time. Advanced variants may include anti-detection measures and the ability to communicate with remote servers to update wallet addresses dynamically.

  • Silent Operation: Monitors clipboard activity without user awareness.
  • Real-Time Alteration: Changes copied wallet addresses to those of the attacker.

MassJacker's Infection Process

The MassJacker malware begins its infection from a site distributing pirated software, which also spreads malware. The attack sequence involves executing a cmd script followed by a PowerShell script, which downloads three executables, including the Amadey botnet and two .NET executables.

Technical Breakdown of the Attack

The malware, known as PackerE, downloads an encrypted DLL called PackerD1, which employs various anti-analysis techniques. It then loads PackerD2, containing the MassJacker payload, and injects it into InstalUtil.exe for execution.

  • JIT Hooking: Utilizes a .NET technique to modify functions at runtime, complicating static analysis.
  • Anti-Analysis Techniques: Includes memory obfuscation and anti-debugging loops.

MassJacker's Cryptocurrency Theft Mechanism

MassJacker uses a configuration file with regex patterns to detect cryptocurrency wallet addresses. It downloads encrypted wallet lists from command and control (C2) servers, containing stolen addresses, including those for Solana wallets.

The malware monitors clipboard activity, replacing copied wallet addresses with those controlled by the attacker. This enables the theft of cryptocurrency funds.

Financial Impact and Attribution

CyberArk researchers reported that wallets linked to MassJacker held $95,300, with a total of $336,700 previously transferred out. Although only 423 wallets contained funds, the actual number is likely higher due to fluctuating cryptocurrency values.

MassJacker appears to function as a malware-as-a-service (MaaS), used by multiple threat actors. However, evidence suggests a single entity may be managing the stolen funds, given shared file names, encryption keys, and a consolidating Litecoin wallet.

The link has been copied!