A new malware campaign is rerouting thousands of dollars from cryptocurrency transactions into the accounts of hackers.
As reported by The Hacker News, the malware, called MassJacker, is a type of cryware known as clipper malware which is targeting users searching for pirated software online.
Instead of the pirated software though, they actually end up downloading clipper malware which is designed to steal cryptocurrency by watching an infected machine’s clipboard and switching out copied cryptocurrency wallet addresses for one controlled by the attackers behind this campaign.
According to a new report from CyberArk, the infection chain starts at pesktop[.]com which is a site commonly used to acquire pirated software that also tries to infect systems with multiple types of malware. The initial MassJacker executable acts as a conduit to run a PowerShell script for the Amadey botnet malware and two .NET binaries including one codenamed PackerE.
PackerE downloads an encrypted DLL file which then loads a second malicious file that launches the MassJacker payload by injecting it into a legitimate Windows process called InstalUtil.exe. This encrypted DLL incorporates features to evade and avoid analysis including Just-In-Time (JIT) hooking, metadata token mapping, and a custom virtual machine.
MassJacker also has debugging checks and a configuration which retrieves regular expression patterns for flagging cryptocurrency wallet addresses in the clipboard; it contacts a remote server to download files containing the threat actors lists of wallets. Then, according to CyberArk's security researchers, it creates an event handler to run whenever the infected system copies anything. The handler checks the regexes, and when it finds a match it simply replaces the copied content with a wallet belonging to the hackers.
CyberArk says it has identified over 778,531 addresses belonging to the threat actors responsible for MassJacker; however, 423 of these wallets currently contain funds totaling roughly $95,300. The digital assets previously held in those wallets prior to them being transferred stands at approximately $336,700. Cryptocurrency worth $87,000 has been found being held in a single wallet, with over 350 transactions funneling money into the wallet from different addresses.
No information is available yet on who is behind MassJacker though the source code shows that it overlaps with the MassLogger malware which also used JIT hooking to resist analysis efforts.
How to stay safe from clipper malware
Just like with some other malware strains, getting infected by MassJacker is completely avoidable. As long as you're not downloading pirated software, you should have nothing to worry about at least for now.
To keep your devices protected from malware that can slip through the cracks though, you should be using the best antivirus software on your Windows PC or the best Mac antivirus software on your Apple computer. These security programs continually scan all of your existing files and any new ones you try to download for malware.
As for keeping your cryptocurrency transactions safe, it might be worth investing in one of the best laptops or even one of the best computers and using that machine solely for crypto. This might sound a bit drastic but by keeping the rest of your online activity separate from your crypto transactions, you can avoid having your funds stolen by malware like MassJacker or by phishing attacks designed to steal your recovery phrase which you should save the old fashioned way on a piece of paper in a secure location as opposed to on your computer or in one of the best password managers.
Since recovering lost cryptocurrency is almost impossible, hackers will likely continue to target crypto users online. This is why you need to be extra careful and practice excellent cyber hygiene when dealing with digital currencies.
