Part of a new information-stealing malware called Opc Jacker It has been spotted in the wild since late 2022 as part of a malvertising campaign.
โOpcJackerโs main functions include keylogging, taking screenshots, exfiltrating sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes.โ , Trend Micro researchers Jaromir Horejsi and Joseph C. Chen Said.
The first vector of the campaign involves a network of fake websites promoting seemingly harmless software and cryptocurrency-related applications. A February 2023 campaign identified Iranian users under the pretext of providing VPN services.
Installer files install NetSupport RAT and Hidden Virtual Network Computing (.hVNC) variant of remote access.
OpcJacker is hidden using a crypter known as Babadeda and uses a configuration file to enable its data collection capabilities. It can also run arbitrary shellcode and executables.
“The configuration file format resembles bytecode written in a custom machine language, where each instruction is parsed to get individual opcodes and specific handlers are executed,” Trend Micro said.
Given the malware’s ability to steal cryptocurrencies from wallets, the campaign is suspected to be financially motivated. That said, OpcJacker’s versatility also makes it an ideal malware loader.
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response โ Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
The findings come as Securonix reveals details of its ongoing attack campaign. Tactical#Octopus It targets US companies with tax-themed lures, infecting them with backdoors to access victims’ systems and retrieve clipboard data and keystrokes.
Related to this, Italian and French users searching YouTube for cracked versions of PC maintenance software such as EaseUS Partition Master and Driver Easy Pro are being redirected to a Blogger page. distribution NullMixer dropper.
NullMixer also stands out by dropping various commercial malware simultaneously, including PseudoManuscrypt, Raccoon Stealer, GCleaner, Fabbookie, and a new malware loader called Crashtech Loader, causing massive infections.
