MassJacker Malware

Cybersecurity researchers have revealed a new malware campaign targeting users searching for pirated software. The attack delivers a previously undocumented clipper malware called MassJacker, designed to steal cryptocurrency by manipulating clipboard data.

How MassJacker Works: The Clipper Malware Threat

Clipper malware is a threatening cyber threat that monitors a victim’s clipboard activity. When a PC user copies a cryptocurrency wallet address, the malware replaces it with an attacker-controlled address, redirecting funds to cybercriminals instead of the intended recipient.

Pesktop.com: A Gateway to Infection

The infection chain starts with Pesktop.com, a website masquerading as a source for pirated software. However, users downloading from this site unknowingly receive various types of malware along with their desired software.

Once a user runs the initial executable, it triggers a PowerShell script that downloads a botnet malware called Amadey, along with two .NET binaries designed for both 32-bit and 64-bit architectures. These binaries, codenamed PackerE, download an encrypted DLL, which then launches the MassJacker payload by injecting it into a legitimate Windows process known as InstalUtil.exe.

Stealth Mode: How MassJacker Evades Detection

To avoid detection, the malware employs multiple obfuscation techniques, including:

• JIT Hooking: Modifies Just-In-Time (JIT) compilation to evade analysis.
• Metadata Token Mapping: Conceals function calls to make analysis harder.
• Custom Virtual Machine Execution: Instead of running standard .NET code, it executes commands through a virtual machine to prevent detection.

Additionally, MassJacker comes with its own anti-debugging mechanisms, making it even harder for security researchers to analyze.

How MassJacker Collects Cryptocurrency

Once active, MassJacker continuously monitors a victim’s clipboard. It scans copied text using regular expressions to detect cryptocurrency wallet addresses. If it finds a match, the malware replaces the copied wallet address with one from a pre-downloaded list controlled by the attackers.

MassJacker contacts a remote server to retrieve an updated list of wallet addresses, ensuring that stolen funds continue flowing into accounts controlled by cybercriminals.

The Staggering Scale of the Attack

Researchers have identified over 778,531 unique wallet addresses associated with the attackers. However, only 423 of these wallets currently hold funds totaling approximately $95,300. Before funds were transferred out, the attackers had amassed around $336,700 in stolen digital assets.

A single wallet linked to the campaign holds approximately $87,000 (600 SOL), with over 350 transactions funneling funds into it from various compromised addresses.

Who is Behind MassJacker?

The identity of the cybercriminals behind MassJacker remains unknown. However, researchers have found similarities between MassJacker and another malware called MassLogger, which also uses JIT hooking to resist analysis. This suggests a possible connection between the two threats or a shared development background.

Stay Safe: How to Protect Yourself

• Avoid Downloading Pirated Software – Many illegal software sites serve as delivery platforms for malware.
• Use Strong Security Software – A reliable anti-malware detection tool can help spot threats before they cause harm.
• Double-Check Wallet Addresses – Always manually verify wallet addresses before transferring cryptocurrency.
• Keep Software Updated – Regular updates ensure vulnerabilities are patched, reducing the risk of malware infections.

As cybercriminals continue evolving their tactics, staying informed and cautious is the best defense against threats like MassJacker.