Users searching for pirated software are the target of a new malware campaign that delivers a previously undocumented clipper malware called MassJacker, according to findings from CyberArk.
Clipper malware is a type of cryware (as coined by Microsoft) that’s designed to monitor a victim’s clipboard content and facilitate cryptocurrency theft by substituting copied cryptocurrency wallet addresses with an attacker-controlled one so as to reroute them to the adversary instead of the intended target.
“The infection chain begins at a site called pesktop[.]com,” security researcher Ari Novick said in an analysis published earlier this week. “This site, which presents itself as a site to get pirated software, also tries to get people to download all sorts of malware.”
The initial executable acts as a conduit to run a PowerShell script that delivers a botnet malware named Amadey, as well as two other .NET binaries, each compiled for 32- and 64-bit architecture.
The binary, codenamed PackerE, is responsible for downloading an encrypted DLL, which, in turn, loads a second DLL file that launches the MassJacker payload by injecting it into a legitimate Windows process called “InstalUtil.exe.”
The encrypted DLL incorporates features that enhance its evasion and anti-analysis ability, including Just-In-Time (JIT) hooking, metadata token mapping to conceal function calls, and a custom virtual machine to interpret commands as opposed to running regular .NET code.
MassJacker, for its part, comes with its own anti-debugging checks and a configuration to retrieve all the regular expression patterns for flagging cryptocurrency wallet addresses in the clipboard. It also contacts a remote server to download files containing the list of wallets under the threat actor’s control.
“MassJacker creates an event handler to run whenever the victim copies anything,” Novick said. “The handler checks the regexes, and if it finds a match, it replaces the copied content with a wallet belonging to the threat actor from the downloaded list.”
CyberArk said it identified over 778,531 unique addresses belonging to the attackers, with only 423 of them containing funds totaling approximately $95,300. But the total amount of digital assets held in all these wallets prior to them being transferred out stands at around $336,700.
What’s more, cryptocurrency worth about $87,000 (600 SOL) has been found parked in a single wallet, with over 350 transactions funneling money into the wallet from different addresses.
Exactly who is behind MassJacker is unknown, although a deeper examination of the source code has identified overlaps with another malware known as MassLogger, which has also leveraged JIT hooking in an attempt to resist analysis efforts.
