A newly discovered malware campaign is actively targeting individuals searching for pirated software, deploying a previously undocumented clipper malware known as MassJacker, according to research conducted by CyberArk.
Clipper malware, categorized as cryware (a term introduced by Microsoft), is specifically designed to monitor a victim’s clipboard activity. Its primary function is to facilitate cryptocurrency theft by intercepting and replacing copied wallet addresses with those controlled by attackers. This process redirects transactions away from the intended recipient and into the hands of cybercriminals.
How the Infection Begins
The malware distribution originates from a website called pesktop[.]com, which falsely presents itself as a platform for accessing pirated software. However, instead of legitimate programs, the site encourages users to unknowingly download various forms of malware.
According to security researcher Ari Novick, the infection begins with an initial executable file that executes a PowerShell script. This script serves as a delivery mechanism for multiple malicious payloads, including a botnet malware known as Amadey, along with two additional .NET binaries designed for both 32-bit and 64-bit systems.
One of these binaries, codenamed PackerE, is responsible for downloading an encrypted Dynamic Link Library (DLL) file. This DLL subsequently loads another DLL, which ultimately launches the MassJacker payload by injecting it into a legitimate Windows process, specifically InstalUtil.exe.
Advanced Evasion and Anti-Analysis Techniques
To avoid detection and analysis, the encrypted DLL incorporates several sophisticated evasion mechanisms. These include:
Just-In-Time (JIT) hooking to manipulate function execution.
Metadata token mapping to conceal function calls.
A custom virtual machine (VM) to execute commands instead of standard .NET code, making reverse engineering significantly more challenging.
The MassJacker malware itself comes equipped with built-in anti-debugging measures. Additionally, it is programmed to detect regular expression patterns that correspond to cryptocurrency wallet addresses copied to the clipboard. Upon detection, it contacts a remote server to retrieve a list of wallet addresses under the attacker’s control.
How MassJacker Steals Cryptocurrency
MassJacker operates by creating an event handler that triggers whenever the victim copies any text. The malware then:
Scans the copied content for cryptocurrency wallet patterns using regex (regular expressions).
If a match is found, it automatically replaces the copied wallet address with one belonging to the attacker.
The victim unknowingly pastes the fraudulent wallet address, resulting in stolen funds when the transaction is completed.
Scale of the Attack and Financial Impact
CyberArk researchers have identified over 778,531 unique cryptocurrency wallet addresses linked to the attackers. However, only 423 of these wallets currently contain funds, totaling approximately $95,300.
Before funds were transferred out, the total amount of digital assets stored in these wallets was estimated at $336,700. Additionally, a single wallet was found holding 600 SOL (Solana tokens), valued at approximately $87,000, with over 350 transactions funneling funds into it from various sources.
Who is Behind MassJacker?
The identity of the threat actors behind MassJacker remains unknown. However, researchers have found code similarities between this malware and MassLogger, another malicious software known for utilizing JIT hooking to evade security analysis. This suggests a possible link between the two threats or that the same group may be behind both campaigns.
Final Thoughts
The MassJacker malware campaign highlights the risks associated with downloading pirated software, as cybercriminals continue to exploit unsuspecting users through deceptive websites. Cryptocurrency holders must be especially cautious, as clipper malware can lead to significant financial losses.
To protect yourself, always download software from official and trusted sources, use strong cybersecurity tools, and double-check wallet addresses before making transactions.
