MassJacker malware specifically targets users seeking pirated software, delivering a new and previously undocumented clipper malware variant. This malware type, known as clipper malware, is designed to monitor clipboard content, allowing attackers to substitute copied cryptocurrency wallet addresses with their own. As a result, victims unknowingly send cryptocurrency to attacker-controlled wallets instead of the intended recipients. CyberArk researchers have traced the infection chain to a site named pesktop[.]com, which masquerades as a hub for pirated software. The site also attempts to convince users to download additional malware, creating a multi-layered attack.
The infection process starts when the victim downloads an executable from the malicious site. This executable runs a PowerShell script that deploys a botnet named Amadey along with two other .NET binaries. These binaries, compiled for both 32-bit and 64-bit systems, serve as the foundation for the attack. One of the binaries, codenamed PackerE, is responsible for downloading an encrypted dynamic-link library (DLL). This DLL, once decrypted, loads a second DLL that eventually launches the MassJacker payload by injecting it into a legitimate Windows process, “InstalUtil.exe.” This technique is used to bypass detection and run the attack under the guise of a trusted system process.
Once injected, MassJacker begins its work by incorporating advanced evasion techniques to avoid detection.
It uses Just-In-Time (JIT) hooking and a custom virtual machine to obscure function calls and evade analysis. The malware also includes anti-debugging checks, making it harder for security researchers to reverse-engineer. MassJacker monitors clipboard content for cryptocurrency wallet addresses and automatically replaces them with a wallet address controlled by the attacker. The malware also contacts a remote server to download a list of the attacker’s wallet addresses.
This server communication ensures the malware always has up-to-date addresses to use in its attacks.
CyberArk identified over 778,531 unique cryptocurrency wallet addresses belonging to the attackers, with 423 of these wallets containing funds. The total amount in these wallets was approximately $95,300, but the attackers had more funds before transferring them out. One particular wallet stood out, containing around $87,000 worth of cryptocurrency, which had been accumulated through over 350 transactions. This indicates that the attackers are actively stealing significant amounts of cryptocurrency through this method. The scale of the attack highlights a well-organized operation, targeting unsuspecting cryptocurrency users, particularly those involved with pirated software.
