Since the second half of 2022, a new piece of information-stealing malware by the name of OpcJacker has been observed in the wild as a result of a malvertising effort. The campaign’s first distribution channel is a network of fake websites that promote seemingly innocent software and services connected to cryptocurrencies. Under the guise of promoting a VPN service in February 2023, consumers in Iran were explicitly sought out.
“OpcJacker’s main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes,” Trend Micro researchers Jaromir Horejsi and Joseph C. Chen said.
The installation files serve as a delivery mechanism for OpcJacker, which may also distribute next-stage payloads like NetSupport RAT and a remote access variation of hidden virtual network computing (hVNC). OpcJacker uses a configuration file to turn on its data-gathering features and is hidden using the crypter Babadeda. It can also execute executables and shellcode of any kind.
According to Trend Micro, the configuration file format mimics bytecode written in a unique machine language, where each instruction is parsed to retrieve its special opcodes before the handler is run. The operations are believed to have a financial motivation due to the malware’s capacity to steal cryptocurrency from wallets. Having said that, OpcJacker’s adaptability makes it a perfect malware loader.
The discoveries coincide with Securonix’s disclosure of information about a persistent attack campaign known as TACTICAL#OCTOPUS that uses tax-themed lures to target American organizations and infect them with backdoors that allow attackers to access victim systems and record keystrokes and clipboard data. In a parallel development, consumers from Italy and France who search on YouTube for pirated copies of PC maintenance programs like EaseUS Partition Master and Driver Easy Pro are being routed to Blogger pages that distribute the NullMixer dropper.
Additionally, NullMixer is notable for concurrently releasing several commercially available pieces of malware, including PseudoManuscrypt, Raccoon Stealer, GCleaner, Fabookie, and a brand-new malware loader known as Crashtech Loader, which causes widespread infestations.
