Full Report
A newly discovered clipboard hijacking operation dubbed 'MassJacker' uses at least 778,531 cryptocurrency wallet addresses to steal digital assets from compromised computers. [...]
Analysis Summary
# Tool/Technique: MassJacker
## Overview
MassJacker is a malware primarily designed for cryptocurrency theft through clipboard hijacking. It monitors the Windows clipboard for copied cryptocurrency wallet addresses and replaces them with an attacker-controlled wallet address, causing victims to unknowingly transfer funds to the threat actor.
## Technical Details
- Type: Malware family
- Platform: Windows
- Capabilities: Clipboard monitoring and replacement for cryptocurrency wallet addresses, multi-stage infection chain involving multiple loaders and botnets, advanced evasion techniques.
- First Seen: Not explicitly stated, derived from a recent analysis by CyberArk.
## MITRE ATT&CK Mapping
*Note: Specific technique IDs are derived based on the described functionality, as the article only details the *action* rather than explicitly listing the T-IDs.*
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Inferred if persistence is established via loaders)
- **TA0005 - Defense Evasion**
- T1055 - Process Injection
- T1027 - Obfuscated Files or Information (Via metadata token mapping, custom VM)
- **TA0011 - Command and Control** (Implied by use of Amadey Bot)
- **TA0009 - Collection**
- T1115 - Clipboard Data (The core function targets clipboard data)
## Functionality
### Core Capabilities
- Monitors the Windows clipboard for cryptocurrency wallet addresses using Regular Expression (regex) patterns.
- Replaces detected victim wallet addresses with an attacker-controlled wallet address from an encrypted list.
- Injects the final payload into the legitimate Windows process `InstalUtil.exe`.
### Advanced Features
- **Multi-stage Execution:** Utilizes a chain involving a command script, a PowerShell script, the Amadey bot, and two loaders (PackerE and PackerD1).
- **Evasion and Anti-Analysis:** PackerD1 employs techniques such as Just-In-Time (JIT) hooking, metadata token mapping to obfuscate function calls, and a custom virtual machine for command interpretation.
- **Payload Extraction:** PackerD1 decrypts and loads PackerE, which decrypts and loads PackerD1 into memory, ultimately leading to the decryption/extraction of the final payload (MassJacker) via PackerD2.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: PackerE, PackerD1, PackerD2 (intermediate components); InstalUtil.exe (legitimate process targeted for injection).
- Registry Keys: [Not provided in the article]
- Network Indicators: Use of Amadey bot C2 infrastructure (specific IPs/domains defanged: pesktop[.]com - distribution site).
- Behavioral Indicators: Execution of unsigned PowerShell scripts, use of process injection into `InstalUtil.exe`, monitoring and modifying clipboard contents.
## Associated Threat Actors
- The malware is part of a wider operation tracked by CyberArk, which classifies it as a cryptojacking operation (specifically clipper malware). No established APT group affiliation is named.
## Detection Methods
- Signature-based detection: Specific signatures could be developed against the hashes of the packed components (PackerE, D1, D2).
- Behavioral detection: Monitoring for PowerShell scripts fetching remote payloads, execution chain involving Amadey bot, and process injection into `InstalUtil.exe`. Specific detection for rapid, repeated modification of clipboard contents matching crypto wallet regex patterns.
- YARA rules: Could be created for the binary patterns related to JIT hooking or custom VM bytecode within the loaders.
## Mitigation Strategies
- **Application Control/Whitelisting:** Restrict execution of downloaded PowerShell scripts or suspicious installers sourced from unverified locations (like pirated software sites).
- **Endpoint Detection and Response (EDR):** Deploy robust EDR capable of detecting in-memory payloads, process injection techniques, and JIT hooking within processes.
- **User Awareness:** Educate users against downloading software from untrusted sources like `pesktop[.]com`.
- **Clipboard Monitoring:** Implement security solutions capable of inspecting and flagging suspicious clipboard modifications, especially those replacing complex strings like wallet addresses.
## Related Tools/Techniques
- Amadey Bot (Used as part of the infection infrastructure).
- Clipboard Hijacking Malware / Clippers (The core technique utilized by MassJacker).