A recent investigation by CyberArk Labs has uncovered a sophisticated cryptojacking malware known as MassJacker, which exploits pirated software installations to compromise user systems.
This malware operates by replacing clipboard contents with attacker-controlled cryptocurrency wallet addresses, aiming to deceive victims into transferring funds to the attackers’ accounts.
The malware’s infection chain begins at a website offering pirated software, where users are tricked into downloading malicious files.
Infection Chain and Technical Details
The infection process involves executing a series of scripts, including a cmd script followed by a PowerShell script, which downloads additional executables.
One of these executables is identified as Amadey, a well-known botnet, while the others are dotnet executables compiled for different architectures.
The malware employs advanced anti-analysis techniques, including JIT Hooking and metadata token mapping, to evade detection.
These techniques are reminiscent of another malware called MassLogger, suggesting a possible connection between the two.
The malware uses a custom virtual machine to execute scripts that further obfuscate its operations.
According to the Report, it injects the MassJacker payload into a legitimate process named InstalUtil.exe, utilizing process injection techniques.
The payload includes configurations for crypto address regexes and Command and Control (C2) addresses, which are used to download encrypted lists of wallets belonging to the threat actors.
Impact and Financial Gains
The investigation revealed that MassJacker has been associated with over 750,000 unique cryptocurrency addresses, with one wallet holding over $300,000.
However, upon closer inspection, most wallets were found to be empty, with only a few containing funds.
The total amount held in these wallets was approximately $95,300, with an estimated total of around $336,700 when including previously transferred funds.
Despite these figures, it is suspected that much of the money did not originate from cryptojacking activities but from other malicious operations.
The volatility of cryptocurrency values also complicates the assessment of the malware’s financial impact.
The discovery of MassJacker highlights the risks associated with pirated software and the evolving nature of cryptojacking threats.
As cryptocurrencies continue to attract attention, such malware is likely to remain a significant concern for cybersecurity professionals.
The similarities between MassJacker and MassLogger suggest that threat actors are adapting and refining their tactics, emphasizing the need for robust security measures to protect against these sophisticated threats.
