A piece of new information-stealing malware called OpcJacker has been spotted in the wild since the second half of 2022 as part of a malvertising campaign.
“OpcJacker’s main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes,” Trend Micro researchers Jaromir Horejsi and Joseph C. Chen said.
The initial vector of the campaign involves a network of fake websites advertising seemingly innocuous software and cryptocurrency-related applications. The February 2023 campaign specifically singled out users in Iran under the pretext of offering a VPN service.
The installer files act as a conduit to deploy OpcJacker, which is also capable of delivering next-stage payloads such as NetSupport RAT and a hidden virtual network computing (hVNC) variant for remote access.
OpcJacker is concealed using a crypter known as Babadeda and makes use of a configuration file to activate its data harvesting functions. It can also run arbitrary shellcode and executables.
“The configuration file format resembles a bytecode written in a custom machine language, where each instruction is parsed, individual opcodes are obtained, and then the specific handler is executed,” Trend Micro said.
Given the malware’s ability to steal crypto funds from wallets, the campaigns are suspected to be financially-motivated. That said, OpcJacker’s versatility also makes it an ideal malware loader.
Become an Incident Response Pro!
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet’s IR Leader!
The findings come as Securonix revealed details of an ongoing attack campaign dubbed TACTICAL#OCTOPUS that targets U.S. entities with tax-themed lures to infect them with backdoors to gain access to victim systems as well as capture clipboard data and keystrokes.
In a related development, Italian and French users searching for cracked versions of PC maintenance software such as EaseUS Partition Master and Driver Easy Pro on YouTube are being redirected to Blogger pages distributing the NullMixer dropper.
NullMixer also stands out for simultaneously dropping a wide variety of off-the-shelf malware, including PseudoManuscrypt, Raccoon Stealer, GCleaner, Fabookie, and a new malware loader referred to as Crashtech Loader, leading to large-scale infections.