Full Report
Users searching for pirated software are the target of a new malware campaign that delivers a previously undocumented clipper malware called MassJacker, according to findings from CyberArk. Clipper malware is a type of cryware (as coined by Microsoft) that's designed to monitor a victim's clipboard content and facilitate cryptocurrency theft by substituting copied cryptocurrency wallet addresses
Analysis Summary
# Tool/Technique: MassJacker
## Overview
MassJacker is a previously undocumented clipper malware designed to hijack cryptocurrency transactions by monitoring the victim's clipboard and automatically substituting copied cryptocurrency wallet addresses with an attacker-controlled address. It is distributed via attack chains originating from websites that distribute pirated software.
## Technical Details
- Type: Malware (Clipper/Cryware)
- Platform: Windows (implied by use of PowerShell, .NET binaries, and **InstalUtil.exe**)
- Capabilities: Clipboard monitoring, cryptocurrency wallet address substitution, anti-analysis/evasion techniques.
- First Seen: Implied to be recent as of March 2025 based on the article's publication date.
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on the described functionality.*
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Implied by distribution via malicious websites)
- **TA0005 - Defense Evasion**
- T1055 - Process Injection
- T1027 - Obfuscated Files or Information (Via encrypted DLL and JIT hooking)
- **TA0009 - Collection**
- T1115 - Clipboard Data
## Functionality
### Core Capabilities
- Injects the payload into the legitimate Windows process `InstalUtil.exe`.
- Reads data copied to the user's clipboard via an event handler.
- Uses regular expression patterns to identify cryptocurrency wallet addresses.
- Replaces identified wallet addresses with addresses controlled by the threat actor.
- Retrieves the list of attacker-controlled wallets from a remote server.
### Advanced Features
- **Anti-Analysis/Evasion:** Implements Just-In-Time (JIT) hooking to frustrate analysis environments.
- **Obfuscation:** Employs metadata token mapping to conceal function calls.
- **Custom Virtual Machine:** Interprets commands using a custom VM instead of running standard .NET code.
- **Anti-Debugging:** Incorporates specific checks to detect debugging attempts.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names:
- Initial executable (conduit)
- Amadey botnet malware
- Two .NET binaries (32-bit and 64-bit versions)
- PackerE binary (downloads DLLs)
- Loaded DLL files
- Registry Keys: [Not provided in the article]
- Network Indicators:
- C2 domain associated with distribution: `pesktop[.]com` (defanged)
- Behavioral Indicators:
- Injection into `InstalUtil.exe`.
- Constant monitoring of clipboard content.
- Execution of PowerShell scripts following initial download.
## Associated Threat Actors
- Unknown, but the source code shows overlaps with the development or use of **MassLogger** malware.
## Detection Methods
- Signature-based detection: Targeting known initial executables or the specific payloads/DLLs.
- Behavioral detection: Monitoring for process injection into `InstalUtil.exe` and suspicious clipboard monitoring/modification routines.
- YARA rules if available: Rules targeting the unique string patterns or .NET bytecode associated with the custom VM or JIT hooking.
## Mitigation Strategies
- **Prevention:** Avoid downloading or executing software from untrusted sources, specifically those offering pirated content (like `pesktop[.]com`). Employ application whitelisting.
- **Hardening:** Implement strong Endpoint Detection and Response (EDR) solutions capable of detecting process injection and monitoring API hooks like JIT hooking. Configure systems to restrict PowerShell execution privileges where unnecessary.
## Related Tools/Techniques
- **MassLogger:** Malware sharing source code overlap with MassJacker, also utilizing JIT hooking.
- **Amadey Botnet:** Deployed as part of the MassJacker initial infection chain.
- **Clipper Malware/Cryware:** The functional category of MassJacker, designed for cryptocurrency theft via clipboard manipulation.