MassJacker campaign uses thousands of wallets to steal crypto

A new MassJacker malware operation that uses the clipboard hijacking technique currently employs nearly 780,000 Bitcoin wallet addresses to steal digital funds from compromised devices.

This new campaign had around 423 wallets containing $95,300, but historical data indicates more substantial transactions. Moreover, the threat actors use a single Solana wallet as a central money-receiving hub, with over $300,000 in transactions.

The researchers estimate that the entire MassJacker operation is linked to a single threat group, given the file names retrieved from C2 servers and the encryption keys used to decrypt the files remained consistent throughout the malicious operation.

However, the business might still be based on a MaaS model, in which a central admin sells access to numerous offenders. Researchers classify MassJacker as a cryptojacking operation, but this classification is more commonly connected with illicit cryptocurrency mining using the victim’s processing/hardware resources.

On the other hand, the campaign uses clipboard hijacking malware (clippers), which monitors the Windows clipboard for copied cryptocurrency wallet addresses and replaces them with one controlled by the attacker.

By doing so, victims unintentionally send money to the attackers while they intend to send it to someone else.

 

The MassJacker malware spreads via compromised domains.

 

According to investigations, the MassJacker malware is delivered through pesktop[.]com, which hosts pirated software and spyware. Software installers downloaded from this site run a cmd script that calls a PowerShell script to recover an Amadey bot and two loader files named PackerE and PackerD1.

Amadey runs PackerE, which then decrypts and loads PackerD1 into memory. PackerD1 also includes five embedded resources that improve its evasion and anti-analysis capability. Some of its evasive capabilities include Just-In-Time (JIT) hooking, metadata token mapping to disguise function calls, and a custom virtual machine that interprets commands rather than running regular.NET code.

PackerD1 decrypts and injects PackerD2, which then decompresses and extracts the final payload, the primary malware, before injecting it into the legitimate Windows process ‘InstalUtil.exe.’

MassJacker scans the clipboard for crypto wallet addresses using regex patterns. If it identifies one, it replaces it with an attacker-controlled wallet address from an encrypted list.

Crypto enthusiasts and researchers should collaboratively investigate massive cryptojacking operations such as MassJacker since they may offer vital identification information on many threat actors despite the apparent minimal financial damages.