Cybersecurity researchers have found MassJacker, a new, previously undocumented malware. It targets a predominantly freebie-seeking audience, i.e. users of pirated content.
MassJacker Malware Targets Piracy Users
MassJacker is a recently discovered malware that targets users downloading pirated software, aiming to steal their cryptocurrency. It is classified as a clipper malware, also referred to as cryware, a type designed to steal cryptocurrency by manipulating the clipboard on infected systems.
When a user copies a cryptocurrency wallet address, MassJacker replaces it with an attacker-controlled address, redirecting funds intended for the user to the attacker. This tactic is particularly insidious, as cryptocurrency addresses are long and complex, making it easy for users to miss the swap.
Technical Details
The malware is spread through pesdesktop[.]com, a deceptive website offering pirated software. Users who download supposed legitimate programs instead receive a malicious executable that initiates the infection chain. Upon execution, this file runs a cmd script, which then launches a PowerShell script responsible for retrieving the Amadey botnet, a known malware loader, along with two .NET binaries—PackerE and PackerD1—designed for 32- and 64-bit architectures.
The infection process unfolds in several stages. After the initial download, the executable triggers a cmd script that executes PowerShell commands, delivering Amadey and the loader components. Amadey then activates PackerE, which decrypts and loads PackerD1 directly into memory.
PackerD1 employs advanced evasion tactics such as Just-In-Time (JIT) hooking, metadata token mapping, and a custom virtual machine to interpret commands. It subsequently decrypts and injects PackerD2, which extracts the final payload, MassJacker. This malware embeds itself into the legitimate Windows process “InstalUtil.exe” and continuously scans the clipboard for cryptocurrency wallet addresses, replacing them with attacker-controlled ones obtained from a remote server.
By leveraging multiple layers of obfuscation and runtime modifications, MassJacker effectively bypasses security software, making it a highly sophisticated and stealthy threat.
MassJacker is designed with several technical features to improve its stealth and efficiency. It includes anti-debugging mechanisms that detect and prevent execution in debugging environments, making analysis by security researchers more difficult. The malware communicates with a remote server to retrieve updated lists of attacker-controlled wallet addresses, allowing it to dynamically modify its targets. It also employs event handlers that activate whenever data is copied to the clipboard, enabling real-time interception and modification.
MassJacker also employs Just-In-Time (JIT) hooking, a technique that dynamically modifies code during execution. This makes it more difficult for traditional static analysis tools to identify its malicious behavior, enhancing its ability to evade detection. Additionally, it operates within a custom virtual machine that interprets its own commands, obfuscating the code and complicating reverse-engineering efforts. By injecting itself into “InstalUtil.exe,” a legitimate Windows utility, it runs under the guise of a trusted process, further reducing the chances of detection by security software.
Financial Impact and Scale
According to research, the financial impact of MassJacker linking it to 778,531 unique wallet addresses. Of these, 423 wallets were found to hold funds totaling approximately $95,300 at the time of analysis. Historical data suggests the total assets associated with these wallets amount to $336,700, with one Solana wallet accumulating $87,000 from over 350 transactions.
MassJacker shares similarities with Masslogger, a previously reported malware known for stealing sensitive information. This connection suggests that the same or related threat actors may be involved, indicating a pattern of activity in the cybercrime landscape.
How to Protect Against MassJacker Malware?
To summarize all of the above, the first thing that is important to note is that the first thing you should do to avoid MassJacker is to stop using pirated software. This is 90% of success in the fight against malware at all.
A more secure alternative is using a hardware wallet for storing and transferring cryptocurrency. These devices keep private keys offline and typically do not involve clipboard usage. Since hardware wallets operate independently of the system’s clipboard, they completely neutralize MassJacker’s primary attack method.
In addition, it is critical to have a robust anti-malware solution and update it regularly. I recommend using GridinSoft Anti-Malware as it has all the features you need today to protect against most attacks.
The final step is to use 2FA wherever possible. This will create an additional layer of protection. In the event of a login data leak/theft, 2FA will require an OTP login password that will be sent to the app/email/phone, without which it will not be possible to log in. This can prevent unauthorized login.
