MassJacker Clipper Malware Attacking Users Installing Pirated Software

A newly discovered cryptojacking malware dubbed “MassJacker” is targeting users who download pirated software, replacing cryptocurrency wallet addresses to redirect funds to attackers.

The malware acts as a clipboard hijacker, monitoring when users copy crypto wallet addresses and silently replacing them with addresses controlled by the threat actors.

The infection chain begins at sites like pesktop[.]com that advertise pirated software but actually distribute malware.

When users download these seemingly legitimate programs, the malware executes a command script followed by a PowerShell script that downloads multiple additional executables.

CYBERARK Security researchers identified that MassJacker employs sophisticated anti-analysis techniques to evade detection, including JIT hooking, metadata token mapping, and a custom virtual machine implementation to obfuscate its code.

The malware’s structure suggests connections to an earlier threat called MassLogger, though its functionality is focused specifically on cryptocurrency theft.

“MassJacker works by replacing the addresses of crypto wallets copied by the user with ones belonging to the attacker in the clipboard.

By doing so, the attacker attempts to trick the victim into transferring money to the attacker’s address instead of the intended target,” explains the report detailing the threat.

The malware uses AES-encrypted lists of attacker-controlled wallets, downloaded as recovery.dat and recoverysol.dat files.

When analyzing the infection process, researchers found that MassJacker utilizes multiple packers and employs process injection to hide the malicious payload in a seemingly legitimate process called InstalUtil.exe.

The Massive Scale of the Theft Operation

In a stunning discovery, researchers found that the threat actors behind MassJacker have deployed an operation utilizing over 778,531 unique cryptocurrency wallet addresses.

The investigation uncovered one particularly active Solana wallet with the address “CJpe4dUcV5Knc2XZKTVsTNHm2MpmJGJNWCJdkfbNdYF5” that contained approximately $87,000 worth of Solana tokens at the time of discovery.

Historical analysis showed this single wallet had previously held over 2075 SOL, worth more than $300,000.

The wallet’s extensive transaction history, including NFT transactions, suggests it may be involved in multiple criminal operations beyond just cryptojacking.

One victim tweeted about funds being stolen and transferred to this specific wallet, indicating the widespread impact of this operation.

The extensive number of transactions makes it unlikely that all funds came solely from clipboard hijacking, pointing to additional malicious activities by the same threat actors.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post MassJacker Clipper Malware Attacking Users Installing Pirated Software appeared first on Cyber Security News.