Infostealer is distributed through malicious ads and pretends to be harmless software.
Trend Micro is reporting a new malware sample, OpcJacker, that has been found in the wild since the second half of 2022 during a malicious ad campaign.
According to Trend Micro, the main features of OpcJacker include:
registration of keystrokes (keylogging);
stealing confidential data from browsers;
loading additional modules;
replacement of the address of the crypto wallet in the clipboard to intercept the transaction.
The initial attack vector includes a network of fake websites advertising software and applications related to cryptocurrency. A campaign in February 2023 targeted users in Iran under the guise of providing VPN services.
The installer files act as a channel for deploying OpcJacker, which is also capable of delivering next-stage payloads such as NetSupport RAT and hVNC connectivity for remote access.
OpcJacker hides itself with the Babadeda ransomware and uses a configuration file to activate its data collection features. Malware can also launch arbitrary shellcode and executable files.
"The configuration file format resembles bytecode written in a special machine language, where each instruction is parsed, individual opcodes are obtained, and then a specific handler is executed," Trend Micro said in a statement.
Given the malware's ability to steal cryptocurrencies from wallets, the campaign is presumed to be financially motivated. However, OpcJacker's versatility also makes it a great malware downloader.