MassJacker: New Clipper Malware Targets Pirated Software Seekers

TL;DR

• MassJacker, a new clipper malware, targets users searching for pirated software, stealing cryptocurrency by manipulating clipboard data.
• The malware employs advanced anti-detection techniques and operates as malware-as-a-service (MaaS).
• Researchers have uncovered a significant number of compromised wallets and substantial financial losses.

New MassJacker Clipper Malware Targets Pirated Software Seekers

CyberArk researchers have identified a new malware campaign distributing the MassJacker clipper malware, which targets users searching for pirated software. This malware is designed to intercept and manipulate clipboard data, primarily for cryptocurrency theft. When a victim copies a cryptocurrency wallet address, MassJacker replaces it with an address controlled by the attacker, redirecting funds to the hacker instead of the intended recipient.

Understanding Clipper Malware

Clipper malware operates silently in the background, monitoring clipboard activity and altering copied text in real time. Advanced variants include anti-detection techniques and the ability to communicate with remote servers to update wallet addresses dynamically.

Infection Process

The MassJacker infection begins on a site (pesktop[.]com) that distributes pirated software and malware. The attack involves executing a cmd script followed by a PowerShell script, which downloads three executables, including the Amadey botnet and two .NET executables (32-bit and 64-bit). The malware, dubbed PackerE, downloads an encrypted DLL (PackerD1) that employs multiple anti-analysis techniques. It then loads PackerD2, which contains the MassJacker payload, injecting it into InstalUtil.exe for execution.

Advanced Techniques

PackerD1 employs JIT Hooking, a .NET technique that modifies functions at runtime by hooking the JIT compiler’s compileMethod. This method obfuscates code execution, making static analysis harder. The malware’s first resource contains replacement code and size data needed for JIT Hooking, which it parses and applies before proceeding with further execution.

MassJacker supports multiple anti-analysis techniques, including memory obfuscation and an infinite anti-debugging loop. It uses a configuration file with regex patterns to detect cryptocurrency wallet addresses and C2 addresses for downloading encrypted wallet lists (recovery.dat and recoverysol.dat). These contain stolen crypto wallet addresses, with the latter specifically for Solana wallets. MassJacker monitors clipboard activity, replacing copied wallet addresses with those controlled by the attacker, enabling cryptocurrency theft.

Financial Impact

CyberArk reported that MassJacker-linked wallets held $95,300 at the time of checking, with a total of $336,700 previously transferred out. Only 423 wallets contained funds; however, researchers believe the actual number could be higher. Experts suspect most funds didn’t come from cryptojacking alone but from other malicious activities. Additionally, cryptocurrency values fluctuate, making exact estimations uncertain.

Malware-as-a-Service (MaaS)

MassJacker appears to be a malware-as-a-service (MaaS), likely used by multiple threat actors, similar to Amadey and MassLogger. Despite this, researchers suspect the wallets found belong to a single threat actor due to shared file names, encryption keys, and a Litecoin wallet consolidating funds from multiple sources. While not definitive, this pattern suggests a single entity managing the stolen funds rather than multiple independent operators.

Conclusion

The emergence of MassJacker highlights the evolving tactics of cybercriminals targeting users seeking pirated software. The malware’s advanced techniques and significant financial impact underscore the importance of vigilance and robust cybersecurity measures. Users should be cautious when downloading software from untrusted sources and implement strong security practices to protect against such threats.

Additional Resources

For further insights, check:

• CyberArk Report on MassJacker

References