A new malware campaign is preying on users searching for pirated software, distributing a previously undocumented clipper malware called MassJacker. According to cybersecurity firm CyberArk, this malicious software is designed to hijack cryptocurrency transactions, posing a significant threat to unsuspecting victims.
How MassJacker Operates
MassJacker falls under the category of clipper malware, a type of cryware that monitors clipboard activity to intercept and replace cryptocurrency wallet addresses. When a victim copies a legitimate wallet address, the malware swaps it with an attacker-controlled address, rerouting funds to the hacker instead of the intended recipient.
Infection Chain: How Victims Are Targeted
The malware distribution begins on a website named pesktop[.]com, which falsely presents itself as a piracy software download platform. However, instead of delivering legitimate files, it pushes multiple malware payloads onto victims’ systems.
CyberArk researcher Ari Novick explains that the infection starts with an executable file that runs a PowerShell script, deploying a botnet malware named Amadey along with two .NET binaries optimized for 32-bit and 64-bit architectures.
Stealth Mechanisms and Advanced Evasion Techniques
A critical component of the attack is a binary codenamed PackerE, which downloads an encrypted DLL file. This DLL loads another file that injects MassJacker into the legitimate Windows process “InstalUtil.exe.”
To evade detection, the malware incorporates:
- Just-In-Time (JIT) hooking to bypass debugging tools
- Metadata token mapping to conceal function calls
- A custom virtual machine to interpret commands instead of running standard .NET code
Clipboard Hijacking and Cryptocurrency Theft
Once activated, MassJacker continuously monitors the victim’s clipboard. If a copied text matches a cryptocurrency wallet format, it is automatically replaced with a wallet controlled by the attacker. The malware fetches these fraudulent wallet addresses from a remote server, ensuring ongoing theft.
According to CyberArk’s analysis:
- 778,531 unique attacker-controlled wallet addresses have been identified.
- Only 423 wallets contained funds, amounting to $95,300.
- Prior to funds being transferred out, these wallets collectively held $336,700.
- A single wallet contained 600 SOL (Solana), worth approximately $87,000, accumulated from over 350 transactions.
Possible Links to MassLogger Malware
While the origins of MassJacker remain unknown, researchers have uncovered code similarities between this malware and MassLogger, another well-known threat. Both malware strains use JIT hooking to resist forensic analysis, suggesting a possible link between their creators or a shared development framework.
Protecting Against MassJacker Attacks
To mitigate the risks of clipper malware, cybersecurity experts recommend:
- Avoiding pirated software downloads, especially from unverified sources.
- Using hardware wallets to store cryptocurrency instead of relying on copy-paste transactions.
- Implementing endpoint protection that detects clipboard manipulation.
- Regularly updating antivirus and security software to detect emerging threats.
- Verifying cryptocurrency wallet addresses manually before making transactions.
Conclusion
MassJacker represents a growing trend of malware exploiting cryptocurrency users, particularly those searching for pirated software. As cybercriminals continue to refine their tactics, individuals must adopt stronger security measures to protect their digital assets from theft. Awareness and proactive cybersecurity practices remain the best defense against these evolving threats.
