OpcJacker Malware

OpcJacker is a new malware that was first discovered in the second half of 2022 as part of a malvertising campaign. This threat is designed to steal sensitive information from users by employing various malicious tactics.

One of the primary functions of OpcJacker is keylogging, which involves recording every keystroke that a user makes on their computer. This can include sensitive information such as passwords, credit card numbers, and other personal data. Additionally, OpcJacker is capable of taking screenshots of the user's computer screen, allowing it to capture any sensitive information that is displayed on the screen.

OpcJacker Targets Victims' Cryptowallets

OpcJacker is also designed to steal sensitive data from web browsers. This can include saved login credentials, browsing history, and other personal data that is stored in the browser's cache. The malware is also capable of loading additional modules, which can be used to further exploit the user's computer.

One particularly insidious feature of OpcJacker is its ability to replace cryptocurrency addresses in the user's clipboard. This allows the malware to hijack any cryptocurrency transactions that the user attempts to make. This can rend upin significant financial losses for the victim.

Attack Chain of the OpcJacker Malware

In February 2023, a new malware campaign surfaced that targeted users in Iran using a network of fake websites advertising seemingly harmless software and cryptocurrency-related applications. The campaign was designed to lure unsuspecting users into downloading an installer file posing as a VPN app that acts as a conduit for deploying the OpcJacker malware.

The OpcJacker malware is concealed using a crypter called Babadeda, which allows it to evade detection from anti-malware software. Once installed, the malware deploys additional payloads, such as the NetSupport RAT and a hidden virtual network computing (hVNC) variant, which enables remote access to the victim's computer.

To activate its data harvesting functions, OpcJacker uses a configuration file and can also run arbitrary shellcode commands as well as executable files. Its ability to hide its presence and deliver additional payloads make OpcJacker a dangerous malware that can cause severe damage to both individuals and organizations. It is crucial to be vigilant when downloading software from unverified sources and to have a reliable antivirus solution to protect against such threats.