A recent investigation has uncovered previously unknown cryptojacking malware, dubbed MassJacker, which primarily targets users who download pirated software from sites like pesktop.com.
This malware operates by replacing cryptocurrency wallet addresses copied by users with those belonging to the attackers, aiming to redirect funds to the threat actors’ wallets.
The discovery highlights the risks associated with using unauthorized software sources and the evolving nature of cryptojacking threats.
Infection Chain and Techniques
The MassJacker infection chain begins with the execution of a cmd script followed by a PowerShell script, which downloads additional executables.
One of these executables is identified as Amadey, a well-known botnet, while the others are dotnet executables compiled for different architectures.
The malware employs sophisticated anti-analysis techniques, including JIT Hooking and metadata token mapping, to evade detection.
These techniques are reminiscent of those used by another malware, MassLogger, suggesting a possible connection between the two threats.
The malware uses a custom virtual machine to further obfuscate its operations, executing scripts that manage control flow and deobfuscate additional resources.
Once fully loaded, MassJacker injects its payload into a process called InstalUtil.exe, where it implements cryptojacking functionality.
According to CyberArk, this includes replacing copied cryptocurrency addresses with attacker-controlled ones and downloading encrypted lists of wallets from Command and Control (C2) servers.
Impact and Analysis
The investigation revealed that MassJacker has been associated with over 750,000 unique wallet addresses, with one wallet holding over $300,000.
However, most wallets were found to be empty, and the total amount of money in active wallets was significantly lower.
The researchers suspect that much of the money in these wallets may not have originated from cryptojacking activities but from other malicious operations.
The use of a consistent encryption scheme allowed researchers to decrypt older files and uncover additional addresses, highlighting the malware’s extensive reach.
The discovery of MassJacker underscores the importance of avoiding pirated software and the need for robust security measures to protect against evolving cyber threats.
As cryptocurrencies continue to attract attention, malware like MassJacker will likely remain a significant concern for users and security professionals alike.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
