Users searching for pirated software are now prime targets for a new malware campaign that distributes a previously undocumented clipper malware called MassJacker, according to findings from CyberArk.
A New Threat in the Piracy Scene
Clipper malware is designed to monitor clipboard content and facilitate cryptocurrency theft. It works by substituting copied cryptocurrency wallet addresses with ones controlled by the attacker, effectively diverting funds to malicious actors instead of the intended recipient. Another example of a relatively recent clipper malware campaign is CryptoClippy. However, CryptoClippy’s operators used SEO poisoning to spread the malware rather than pirated software.
The Infection Chain: How MassJacker Spreads
The infection begins when users visit a website known as pesktop[.]com, which falsely presents itself as a repository for pirated software. However, instead of providing legitimate downloads, it tricks users into installing malware.
Security researcher Ari Novick explains that the above-mentioned site, which poses as a platform for pirated software, is used to distribute various types of malware.
Once executed, the malicious installer triggers a PowerShell script that delivers a botnet malware known as Amadey, along with two other .NET binaries compiled for 32-bit and 64-bit architectures. One of these binaries, codenamed PackerE, downloads an encrypted DLL, which in turn loads a secondary DLL that launches MassJacker by injecting it into a legitimate Windows process known as InstalUtil.exe.
How MassJacker Operates
The encrypted DLL used by MassJacker employs various advanced techniques to evade detection and analysis, including:
- Just-In-Time (JIT) hooking
- Metadata token mapping to obscure function calls
- A custom virtual machine to interpret commands instead of executing standard .NET code
MassJacker also incorporates anti-debugging mechanisms and is preconfigured to detect regular expressions related to cryptocurrency wallet addresses in clipboard content.
Once a user copies a cryptocurrency wallet address, the malware intercepts the action, checks if it matches a pattern from its database, and replaces the copied content with a wallet address controlled by the attacker.
MassJacker creates an event handler that triggers whenever the victim copies anything, Novick noted. If it detects a cryptocurrency address, it swaps it with an address from the attacker’s pre-downloaded list.
The Scale of the Attack
CyberArk researchers have uncovered over 778,531 unique addresses linked to the attackers. However, only 423 wallets contained funds, with a combined balance of approximately $95,300. Prior to being emptied, these wallets collectively held around $336,700 worth of digital assets.
A single wallet associated with the campaign was found to contain 600 SOL, worth about $87,000, gathered through over 350 transactions funneling money from various sources.
The Unknown Threat Actors
The identity of the individuals or group behind MassJacker remains unknown. However, researchers have identified code similarities between MassJacker and another malware strain known as MassLogger, which also used JIT hooking to evade detection.
Given the sophisticated tactics used by MassJacker, cybersecurity experts advise users to be cautious when downloading software, especially from unverified sources.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: