Cyber Security News

MassJacker Clipper Malware Targets Users Installing Pirated Software

A recent investigation has uncovered previously unknown cryptojacking malware, dubbed MassJacker, which primarily targets users who download pirated software from sites like pesktop.com.

This malware operates by replacing cryptocurrency wallet addresses copied by users with those belonging to the attackers, aiming to redirect funds to the threat actors’ wallets.

The discovery highlights the risks associated with using unauthorized software sources and the evolving nature of cryptojacking threats.

Infection Chain Diagram

Infection Chain and Techniques

The MassJacker infection chain begins with the execution of a cmd script followed by a PowerShell script, which downloads additional executables.

One of these executables is identified as Amadey, a well-known botnet, while the others are dotnet executables compiled for different architectures.

The malware employs sophisticated anti-analysis techniques, including JIT Hooking and metadata token mapping, to evade detection.

These techniques are reminiscent of those used by another malware, MassLogger, suggesting a possible connection between the two threats.

The malware uses a custom virtual machine to further obfuscate its operations, executing scripts that manage control flow and deobfuscate additional resources.

Once fully loaded, MassJacker injects its payload into a process called InstalUtil.exe, where it implements cryptojacking functionality.

The MassJacker Configuration

According to CyberArk, this includes replacing copied cryptocurrency addresses with attacker-controlled ones and downloading encrypted lists of wallets from Command and Control (C2) servers.

Impact and Analysis

The investigation revealed that MassJacker has been associated with over 750,000 unique wallet addresses, with one wallet holding over $300,000.

However, most wallets were found to be empty, and the total amount of money in active wallets was significantly lower.

The researchers suspect that much of the money in these wallets may not have originated from cryptojacking activities but from other malicious operations.

The use of a consistent encryption scheme allowed researchers to decrypt older files and uncover additional addresses, highlighting the malware’s extensive reach.

The discovery of MassJacker underscores the importance of avoiding pirated software and the need for robust security measures to protect against evolving cyber threats.

As cryptocurrencies continue to attract attention, malware like MassJacker will likely remain a significant concern for users and security professionals alike.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Hackers Rapidly Adopt ClickFix Technique for Sophisticated Attacks

In recent months, a sophisticated social engineering technique known as ClickFix has gained significant traction…

5 minutes ago

Supply Chain Attack Targets 23,000 GitHub Repositories

A critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which is…

7 minutes ago

Beware! Malware Hidden in Free Word-to-PDF Converters

The FBI has issued a warning about a growing threat involving free file conversion tools,…

9 minutes ago

SocGholish Exploits Compromised Websites to Deliver RansomHub Ransomware

SocGholish, a sophisticated malware-as-a-service (MaaS) framework, has been identified as a key enabler in the…

12 minutes ago

New Steganographic Malware Hides in JPG Files to Deploy Multiple Password Stealers

A recent cybersecurity threat has emerged in the form of a steganographic campaign that uses…

13 minutes ago

New C++-Based IIS Malware Mimics cmd.exe to Evade Detection

A recent discovery by Palo Alto Networks' Unit 42 has shed light on sophisticated malware…

15 minutes ago