Part of a new information-stealing malware called option jacker It has been spotted in the wild since late 2022 as part of a malvertising campaign.
“OpcJacker’s main functions include keylogging, taking screenshots, exfiltrating sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes,” it said. , Trend Micro researchers Jaromir Horresi and Joseph C. Chen.
The first vector of the campaign involves a network of fake websites promoting seemingly harmless software and cryptocurrency-related applications. A February 2023 campaign identified Iranian users under the pretext of providing VPN services.
The installer file acts as a pipe to deploy OpcJacker, which can also deliver next-stage payloads such as NetSupport RAT and Hidden Virtual Network Computing (hVNC) variants for remote access.
OpcJacker is hidden using a crypter known as Babadeda and uses a configuration file to enable its data collection capabilities. It can also run arbitrary shellcode and executables.
“The format of the configuration file is similar to bytecode written in a custom machine language, where each instruction is parsed to get individual opcodes and execute specific handlers,” Trend Micro said.
Given the malware’s ability to steal cryptocurrencies from wallets, the campaign is suspected to be financially motivated. That said, OpcJacker’s versatility also makes it an ideal malware loader.
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
Don’t miss it – secure your seat!
The findings follow Securonix’s disclosure of details of an ongoing attack campaign called TACTICAL#OCTOPUS. The attack campaign targets US entities with tax-themed lures and infects them with backdoors to access victims’ systems and retrieve clipboard data and keystrokes.
Related to this, Italian and French users searching YouTube for cracked versions of PC maintenance software such as EaseUS Partition Master and Driver Easy Pro are being redirected to a Blogger page distributing the NullMixer dropper.
NullMixer also stands out by dropping various commercial malware simultaneously, including PseudoManuscrypt, Raccoon Stealer, GCleaner, Fabbookie, and a new malware loader called Crashtech Loader, causing massive infections.
