A chunk of latest information-stealing malware referred to as OpcJacker has been noticed within the wild because the second half of 2022 as a part of a malvertising marketing campaign.
“OpcJacker’s most important features embody keylogging, taking screenshots, stealing delicate information from browsers, loading further modules, and changing cryptocurrency addresses within the clipboard for hijacking functions,” Pattern Micro researchers Jaromir Horejsi and Joseph C. Chen said.
The preliminary vector of the marketing campaign includes a community of pretend web sites promoting seemingly innocuous software program and cryptocurrency-related purposes. The February 2023 marketing campaign particularly singled out customers in Iran below the pretext of providing a VPN service.
The installer recordsdata act as a conduit to deploy OpcJacker, which can be able to delivering next-stage payloads akin to NetSupport RAT and a hidden digital community computing (hVNC) variant for distant entry.
OpcJacker is hid utilizing a crypter referred to as Babadeda and makes use of a configuration file to activate its information harvesting features. It will probably additionally run arbitrary shellcode and executables.
“The configuration file format resembles a bytecode written in a customized machine language, the place every instruction is parsed, particular person opcodes are obtained, after which the particular handler is executed,” Pattern Micro stated.
Given the malware’s skill to steal crypto funds from wallets, the campaigns are suspected to be financially-motivated. That stated, OpcJacker’s versatility additionally makes it a great malware loader.
The findings come as Securonix revealed particulars of an ongoing assault marketing campaign dubbed TACTICAL#OCTOPUS that targets U.S. entities with tax-themed lures to contaminate them with backdoors to realize entry to sufferer programs in addition to seize clipboard information and keystrokes.
In a associated improvement, Italian and French customers looking for cracked variations of PC upkeep software program akin to EaseUS Partition Grasp and Driver Simple Professional on YouTube are being redirected to Blogger pages distributing the NullMixer dropper.
NullMixer additionally stands out for concurrently dropping all kinds of off-the-shelf malware, together with PseudoManuscrypt, Raccoon Stealer, GCleaner, Fabookie, and a brand new malware loader known as Crashtech Loader, resulting in large-scale infections.