A new malicious campaign has been observed spreading a versatile information-stealer malware called OpcJacker. In addition to its cryptocurrency-hijacking abilities, it acts as a keylogger and a loader for additional malware payloads. Thus allowing its operators to do further damage to a victim beyond just stealing data.
What's happening?
Researchers from Trend Micro revealed that the recent OpcJacker campaign has been luring and targeting internet users in Iran since February, pretending to offer a VPN service.
- The malware is capable of stealing cryptocurrency from wallets, indicating that it is a financially-driven operation.
- It allows the attacker to take screenshots, steal sensitive data from popular web browsers, load additional modules, and replace any cryptocurrency address in the clipboard with that of the attacker’s address (called Pastejacking).
- Another interesting aspect of this malware is the use of a custom file format for configuration. It is similar to the custom virtual machine code using numeric hexadecimal identifiers, which are difficult for researchers to analyze.
Infection chain
The attack begins with malicious advertisements related to VPN services, shown specifically to people in Iran via geofencing.
- The users are urged to visit fake websites to download an archive file, containing the OpcJacker executable.
- The malware is loaded via DLL sideloading, targeting a legitimate DLL of an already installed application to load another malicious DLL library.
- This malicious DLL library then compiles and executes another shellcode to download the Babadeda crypter, along with OpcJacker.
- OpcJacker loader further drops and executes additional modules, including NetSupport RAT and the Phobos Crypter, used to load the Phobos ransomware.
Concluding notes
Although designed as an info-stealer malware, its developers have smartly equipped OpcJacker with loader and keylogging abilities, making it useful for multiple scenarios. Moreover, the use of a VM-like design pattern makes it more versatile. Possibly its operators are trying to make it popular before offering it as a MaaS in the near future. Experts believe that such malware with multiple capabilities is more likely to get popular among adversaries within a short duration of time.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/a89a_banner_for_blog-01.png)
/https://cyware-ent.s3.amazonaws.com/image_bank/f9e2_Shutterstock_1378498457.jpg)
