A new piece of information-stealing malware is called OptionJacker has been seen in the wild since the second half of 2022 as part of a malvertising campaign.
“OpcJacker’s main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and changing cryptocurrency addresses in the clipboard for piracy purposes,” Trend Micro researchers Jaromir Horejsi and Joseph C. Chen said.
The campaign’s initial vector involved a network of fake websites advertising seemingly harmless software and cryptocurrency-related applications. The February 2023 campaign specifically singled out users in Iran under the pretext of offering a VPN service.
The installer file acts as a conduit for deploying OpcJacker, which is also capable of delivering next-stage payloads such as the NetSupport RAT and hidden virtual network computing (HVNC) variant for remote access.
OpcJacker is hidden using a crypter known as Babadeda and uses a configuration file to enable its data fetching functionality. It can also run arbitrary shell code and executables.
“The configuration file format resembles bytecode written in a special machine language, where each instruction is parsed, each opcode is obtained, and then a special handler is executed,” says Trend Micro.
Given the malware’s ability to steal crypto funds from wallets, the campaign is allegedly financially motivated. Nonetheless, OpcJacker’s versatility also makes it an ideal malware loader.
The find comes as Securonix reveals details of its ongoing attack campaign TACTICAL#octopus which targets US entities with tax-themed lures to infect them with backdoors to gain access to victims’ systems as well as capture clipboard data and keystrokes.
In a related development, Italian and French users searching for cracked versions of PC maintenance software such as EaseUS Partition Master and Driver Easy Pro on YouTube were redirected to Blogger pages. distribute NullMixer dropper.
NullMixer also stands out for simultaneously dropping a wide variety of ready-to-use malware, including PseudoManuscrypt, Raccoon Stealer, GCleaner, Fabookie, and a new malware loader known as Crashtech Loader, which causes large-scale infections.