According to Cyberark’s findings, users searching for pirated software are the target of a new malware campaign that offers previously undocumented clipper malware called MassJacker.
Clipper malware is a kind of cliair (created by Microsoft) designed to promote cryptocurrency theft by monitoring the victim’s clipboard content and replacing copied cryptocurrency wallet addresses with those controlled by attackers.
“Infection chains begin on a site called PeskTop[.]com, “Security researcher Ari Novick said in an analysis published earlier this week: “As a site that obtains pirated software, this site is trying to get people to download all sorts of malware.”
The first executable serves as a conduit to run a botnet malware named Amadey and a PowerShell script that delivers two other .NET binaries, each compiled for a 32-bit architecture.
Binary, CodeNead Packere is responsible for downloading encrypted DLLs. This loads a second DLL file that launches the Massjacker payload by injecting it into a legitimate Windows process called “Instalutil.exe”.
The encrypted DLL incorporates features that increase its evasion and anti-analysis capabilities, such as just-in-time (JIT) hooks, feature calls for metadata token mapping, and custom virtual machines that interpret commands as opposed to normal .NET code execution.
MassJacker comes with its own crippling checks and a configuration that retrieves all regular expression patterns to flag the cryptocurrency wallet address on the clipboard. You also contact the remote server to download a file containing a list of wallets under the control of the threat actor.
“Massjacker creates an event handler that runs every time a victim copies something,” says Novick. “The handler checks for regular expressions. If it matches, it replaces the copied content from the downloaded list with a wallet belonging to the threat actor.”
Cyberark said it has identified more than 778,531 unique addresses belonging to the attacker, of which 423 totaled around $95,300 in funding. However, the total amount of digital assets held before they are transferred to all of these wallets is around $336,700.
Additionally, around $87,000 (600 SOL) worth of cryptocurrency is parked in one wallet, with over 350 transactions pouring money into the wallet from various addresses.
It’s not exactly clear what’s behind MassJacker, but deeper investigations into the source code have identified overlapping with another malware known as MassLogger.
Source link
