A new and dangerous malware called MassJacker is putting cryptocurrency users at risk. According to security experts, this malware is mainly targeting people who search for pirated software online. It works by secretly hijacking cryptocurrency transactions and sending the money to hackers instead of the intended recipient.
This alarming discovery was made by cybersecurity researchers who found that the malware spreads through a website called pesktop[.]com. This website appears to offer free pirated software, but in reality, it tricks users into downloading harmful programs. Once the malware is installed on a computer, it starts monitoring everything the user copies to their clipboard.
How MassJacker Malware Works
MassJacker is classified as a “clipper malware.” This means that it watches what users copy and paste on their computers. Since many cryptocurrency transactions involve copying and pasting wallet addresses, the malware takes advantage of this habit. When a user copies a cryptocurrency wallet address, MassJacker quickly replaces it with a different address controlled by the hackers. The unsuspecting user then pastes this fake address when making a payment, unknowingly sending their cryptocurrency to the attackers instead.
The infection starts with an initial executable file that acts as a doorway for additional malware. It runs a PowerShell script that downloads other harmful software, including a botnet malware called Amadey and two .NET binaries designed for different computer architectures.
One of these files, named PackerE, downloads another encrypted file, which eventually loads the MassJacker malware into a legitimate Windows process called “InstalUtil.exe.” This method makes it harder for security programs to detect the threat.
To avoid detection, MassJacker uses several tricks, such as:
- JIT Hooking: A technique that hides its activities from security tools.
- Metadata Token Mapping: This makes it difficult to track which functions the malware is using.
- A Custom Virtual Machine: Instead of running like a normal program, it executes its commands in a hidden way, making it harder to analyze.
Massive Cryptocurrency Theft Uncovered
The hackers behind MassJacker have already managed to collect a significant amount of cryptocurrency from their victims. Security researchers discovered a shocking 778,531 unique cryptocurrency wallet addresses connected to the attackers. Out of these, at least 423 wallets still had funds amounting to around $95,300 at the time of discovery.
However, the total amount of stolen cryptocurrency is much larger. Before the funds were transferred out, these wallets held a combined total of approximately $336,700 in digital assets. This indicates that the attackers have successfully stolen large amounts of money from unsuspecting users.
One particular wallet linked to the hackers was found to contain 600 SOL (Solana), worth about $87,000. This wallet had received funds from more than 350 different transactions, suggesting that many victims unknowingly sent their money to the criminals.
While the identity of the cybercriminals behind MassJacker remains unknown, experts have noticed similarities between this malware and another one called MassLogger. MassLogger has also used the JIT Hooking technique to avoid detection, suggesting that the same group or an associated team may be responsible for both attacks.
As MassJacker continues to spread, it is crucial for users to be cautious when downloading software, especially from unofficial sources. Always verify the authenticity of a website before downloading anything,and avoid using pirated software to reduce the risk of falling victim to such dangerous malware.