Be Careful What You Search For—New Attack Could Cost You Dearly
The internet has become a hub for all sorts of malicious activities, and one of the most insidious ones is the MassJacker malware attack that's been making headlines lately. This type of attack starts with an innocent-looking search query, but can quickly escalate into a financial disaster for its victims.
In a bizarre twist, this cyberattack begins with a simple search for pirated software. The threat actors behind MassJacker are using phishing tactics to lure their targets into downloading malware that will steal their cryptocurrency. According to Ari Novick, a malware researcher at CyberArk Labs, the attack starts with a malicious download that executes a cmd script followed by a PowerShell script, which downloads three more executables.
"Cryptojacking works," Novick explained, "by replacing the addresses of crypto wallets copied by the user with ones belonging to the attacker in the clipboard." This can lead to transferring money to the attacker's address, resulting in significant financial losses for the victim. Novick warned that CyberArk analysis has discovered at least 750,000 unique addresses used by MassJacker, with one wallet worth $300,000 alone.
But what makes cryptojacking malware so elusive? According to Novick, it's not as famous as ransomware or infostealer malware, and there may be fewer of them or they're not as profitable. However, the attackers often use anti-analysis techniques like zeroing out section and dotnet stream names in memory and creating infinite loops of debugger checks.
The MassJacker payload also contains configuration files with regexes for crypto addresses and Command and Control addresses to download additional files named recovery.dat and recoverysol.dat. These files are AES-encrypted lists of wallets belonging to the threat actor, which can be used to track down victims' cryptocurrency holdings.
But the MassJacker attack is not unique in its tactics. Another newly analyzed malware threat, StilachiRAT, comes at search requirements from a different angle entirely. The attackers conduct system reconnaissance during the initial phase, collecting comprehensive system information such as operating system details and running graphical user interface applications.
During the attack proper, StilachiRAT scans up to 20 different cryptocurrency wallet extensions used by Google Chrome web borders to look for configuration files. It also searches for saved credentials, which are decrypted to gain access to stored usernames and passwords.
The good news is that investigating these types of attacks can lead to a treasure trove of valuable information. Cybersecurity experts have discovered over 750,000 addresses and $300,000 in various cryptocurrencies belonging to threat actors.
So, what can you do to mitigate these attacks? The top two mitigation strategies are:
- Don't search for pirated software. Avoid searching for pirated software or downloading it from sites that offer pirated software. Pirated software is bad news, and you don't want to risk falling victim to these attacks.
- Verify the authenticity of software downloads. Make sure to download software from reputable sources and verify the authenticity of the files before running them on your system.
The fight against cybercrime is an ongoing battle, but by being vigilant and taking proactive measures, you can protect yourself from falling victim to these types of attacks. Remember: a little caution can go a long way in keeping your digital life safe!