Researchers at Trend Micro have identified a new piece of malware called OpcJacker that has been active since the second half of 2022.
Its key functions include keylogging, taking screenshots, stealing sensitive data, loading additional modules and replacing cryptocurrency addresses in the clipboard.
The malware is being deployed in a malvertising campaign using a network of fake websites that advertise benign software and crypto-related applications. Users in Iran were recently targeted, supposedly with the offer of a VPN service.
OpcJacker is capable of delivering next-stage payloads such as the NetSupport RAT and a hidden virtual network computing (hVNC) variant for remote access. The malware is hidden using a crypter called Babadeda, which employs a configuration file to activate its data harvesting functions.
Trend Micro said the configuration file format “resembles a bytecode written in a custom machine language”.
The malware has been found to be capable of stealing cryptocurrency funds from wallets, indicating that the campaigns are financially motivated. OpcJacker is also highly versatile, making it an ideal malware loader.
In a separate campaign, Securonix revealed the details of an ongoing attack targeting US entities using tax-themed lures to infect victims with backdoors.
French and Italian users searching for cracked versions of PC maintenance software on YouTube are being redirected to Blogger pages that distribute NullMixer, a malware dropper that can simultaneously drop a range of off-the-shelf malware, including PseudoManuscrypt, Raccoon Stealer, GCleaner, Fabookie and a new malware loader referred to as Crashtech Loader.
