A new and sophisticated malware campaign, known as MassJacker, has been uncovered by cybersecurity researchers at CyberArk. This malware targets users who download pirated software, particularly from websites like pesktop[.]com, which is notorious for distributing malware.
How MassJacker works
MassJacker operates as a clipboard hijacker, monitoring the Windows clipboard for copied cryptocurrency wallet addresses. When a user copies an address, the malware stealthily replaces it with one controlled by the attackers. This results in the victim unknowingly sending cryptocurrency to the malicious actors instead of the intended recipient.
The MassJacker campaign involves over 778,531 cryptocurrency wallet addresses linked to the attackers. While only about $95,300 was found in 423 wallets directly linked to the operation, historical data suggests significantly larger transactions. A central Solana wallet used by the attackers has amassed over $300,000.
The malware is distributed through a complex infection chain involving a PowerShell script that downloads the Amadey bot and other loader files. These files employ advanced evasion techniques, including Just-In-Time (JIT) hooking and metadata token mapping, to hinder analysis.
To protect yourself from MassJacker and similar threats:
- Avoid Pirated Software: download software only from trusted sources.
- Verify Addresses: always double-check cryptocurrency addresses before sending funds.
- Use Security Software: keep your antivirus and anti-malware software updated.