People searching for stolen software are the target of a new malware campaign that delivers a previously undocumented cutter malware called MassJacker, according to results from CyberArk.
Clipper trojan is a type of ( as coined by Microsoft ) that’s designed to monitor a murderer’s folder glad and facilitate crypto fraud by substituting copied bitcoin wallet addresses with an attacker-controlled one so as to divert them to the adversary instead of the intended target.
” The infection chain begins at a site called pesktop [. ] com”, security researcher Ari Novick in an analysis published earlier this month. ” This site, which presents itself as a page to find pirated software, also tries to get people to download all sorts of trojan”.
The first downloadable acts as a conduit to run a PowerShell text that delivers a bot malware named , as well as two other.NET files, each compiled for 32- and 64-bit structures.
The linear, codenamed PackerE, is responsible for downloading an encrypted DLL, which, in turn, stresses a second DLL file that launches the MassJacker cargo by injecting it into a genuine Windows process called” InstalUtil. exe”.
The encrypted DLL incorporates features that enhance its evasion and anti-analysis ability, including Just-In-Time ( ) hooking, metadata token mapping to conceal function calls, and a custom virtual machine to interpret commands as opposed to running regular.NET code.
MassJacker, for its part, comes with its own anti-debugging checks and a configuration to retrieve all the regular expression patterns for flagging cryptocurrency wallet addresses in the clipboard. It also contacts a remote server to download files containing the list of wallets under the threat actor’s control.
” MassJacker creates an event handler to run whenever the victim copies anything”, Novick said. ” The handler checks the regexes, and if it finds a match, it replaces the copied content with a wallet belonging to the threat actor from the downloaded list”.
CyberArk said it identified over 778, 531 unique addresses belonging to the attackers, with only 423 of them containing funds totaling approximately$ 95, 300. But the total amount of digital assets held in all these wallets prior to them being transferred out stands at around$ 336, 700.
What’s more, cryptocurrency worth about$ 87, 000 ( 600 SOL ) has been found parked in a single wallet, with over 350 transactions funneling money into the wallet from different addresses.
Exactly who is behind MassJacker is unknown, although a deeper examination of the source code has identified overlaps with known as , which has also leveraged JIT hooking in an attempt to resist analysis efforts.