MassJacker: The Malware That's Hijacking Crypto Wallets

CyberArk researchers have sounded the alarm about a new malware campaign targeting users searching for pirated software. The malicious software, dubbed MassJacker, is designed to intercept and manipulate clipboard data, typically for cryptocurrency theft.

The Threat of Clipper Malware

Clipper malware is a type of malicious software that operates silently in the background, monitoring clipboard activity and altering copied text in real-time. Its primary goal is to steal funds from cryptocurrency wallets by replacing legitimate addresses with attacker-controlled ones.

In essence, when a victim copies a cryptocurrency wallet address, the malware intercepts it and redirects the funds to the hacker's account instead of the intended recipient. Clipper malware has evolved to include advanced features such as anti-detection techniques and the ability to communicate with remote servers to update wallet addresses dynamically.

The MassJacker Attack

The new MassJacker infection is launched from a compromised website (pesktop[.]com) that distributes pirated software. The attack involves executing a cmd script followed by a PowerShell script, which downloads three executables, including the Amadey botnet and two .NET executables.

Upon execution, the malware, dubbed PackerE, downloads an encrypted DLL (PackerD1) that employs multiple anti-analysis techniques. It then loads PackerD2, which contains the MassJacker payload, injecting it into InstalUtil.exe for execution.

MassJacker's Anti-Analysis Techniques

MassJacker supports multiple anti-analysis techniques, including memory obfuscation and an infinite anti-debugging loop. These features make it challenging to detect and analyze the malware using traditional methods.

The malware uses a configuration file with regex patterns to detect cryptocurrency wallet addresses and C2 addresses for downloading encrypted wallet lists (recovery.dat and recoverysol.dat). These contain stolen crypto wallet addresses, with the latter specifically for Solana wallets.

Stolen Crypto Wallets and Funds

CyberArk researchers discovered that the threat actors used the same encryption scheme for quite some time without changing the key. This allowed them to decrypt older files from previous campaigns and recover additional addresses.

"While investigating the wallet addresses downloaded from the C2, we discovered that the threat actors used the same encryption scheme for quite some time without changing the key," reads the report published by CyberArk. "This meant we could use MassJacker to decrypt older files from previous campaigns and recover additional addresses."

According to the report, adding the wallets from older files resulted in 778,531 unique addresses, with a total of $336,700 previously transferred out.

A Complex Web of Threat Actors

MassJacker appears to be a malware-as-a-service (MaaS), likely used by multiple threat actors, similar to Amadey and MassLogger. However, researchers suspect the wallets found belong to a single threat actor due to shared file names, encryption keys, and a Litecoin wallet consolidating funds from multiple sources.

Experts believe that the actual number of cryptojacking attacks could be higher than reported, with most funds not coming from cryptojacking alone but other malicious activities. The total amount may be higher or lower than reported due to cryptocurrency values fluctuating.

A Threat That Requires Awareness

While the specifics of MassJacker's impact are still unclear, it is evident that this malware poses a significant threat to cryptocurrency users. It's essential for individuals to remain vigilant and aware of the risks associated with pirated software and cryptojacking.

As one expert concludes, "It's difficult to say why cryptojackers are so poorly known... One possibility is that there simply aren't that many of them. If they really aren't that profitable, it makes sense that there wouldn't be many of them."