Was singled out a new information-stealing malware called OpcJacker, which has been circulating since the second half of 2022 as part of a malvertising campaign, similar to other cryptojacking campaigns that have already occurred in the past.
OpcJacker: what it does and how it works
“OpcJacker’s main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading add-ons, and replacing cryptocurrency addresses in the clipboard for hijacking purposes“, they have declared Trend Micro researchers Jaromir Horejsi and Joseph C. Chen.
The initial vector of the campaign involves a network of fake websites advertising seemingly harmless software and applications related to cryptocurrencies. The February 2023 campaign specifically targeted users in Iran under the guise of offering a VPN service (basically a fake VPN service).
The installation files act as a conduit to deploy OpcJacker, which is also capable of delivering next-stage payloads such as NetSupport RAT and a variant of virtual network computing (hVNC) hidden for remote access.
OpcJacker is cloaked using a encryptor known as Babadeda and makes use of a configuration file to activate its data collection functions. It is capable of executing shellcode and arbitrary executable files.
The format of the configuration file resembles a bytecode written in a custom machine language, where each instruction is parsed, individual opcodes are obtained, and then the specific handler is executed,” Trend Micro said.
Given the malware’s capabilities to steal crypto funds from wallets, the campaigns are suspected to be financially motivated. That said, OpcJacker’s versatility also makes it an ideal malware loader.
These findings come as Securonix revealed details about an ongoing attack campaign called TACTICAL#OCTOPUS targeting tax-baited US organizations to infect them via a backdoor in order to gain access to victims’ systems and capture clipboard data and keystrokes.
In another related development, Italian and French users who search for cracked versions of PC maintenance software like EaseUS Partition Master and Driver Easy Pro on YouTube are redirected to Blogger pages that they distribute the NullMixer dropper.
NullMixer also stands out in that it simultaneously releases a wide range of prepackaged malware, including PseudoManuscrypt, Raccoon Stealer, GCleaner, Fabookie, and a new malware loader called Crashtech Loader, leading to large-scale infections.
In conclusion: how do we defend ourselves against similar problems?
To protect your devices and sensitive data, it is important to adopt some good cybersecurity practices, such as using up-to-date antivirus and firewall software, only installing applications from trusted sources, and creating strong and unique passwords for each account .
Furthermore, it is important to avoid clicking on suspicious links or opening email attachments from unknown senders and to constantly monitor suspicious movements on your devices. In case of suspected malware infection, it is advisable to immediately disconnect the device from the network, run a full virus scan and remove any suspicious or unauthorized software. In the event of data damage or loss, it is important to have a data backup and recovery plan in place.
Finally, it is advisable to always keep up to date with the latest cyber threats and cyber security best practices.
So I recommend: navigate calmly, but still pay attention.
#OpcJacker #information #theft #malware