New MassJacker malware is hijacking digital wallets to steal large sums from users

A hacker typing quickly on a keyboard
(Image credit: Shutterstock)

A new malware campaign is rerouting thousands of dollars from cryptocurrency transactions into the accounts of hackers.

As reported by The Hacker News, the malware, called MassJacker, is a type of cryware known as clipper malware which is targeting users searching for pirated software online.

Instead of the pirated software though, they actually end up downloading clipper malware which is designed to steal cryptocurrency by watching an infected machine’s clipboard and switching out copied cryptocurrency wallet addresses for one controlled by the attackers behind this campaign.

According to a new report from CyberArk, the infection chain starts at pesktop[.]com which is a site commonly used to acquire pirated software that also tries to infect systems with multiple types of malware. The initial MassJacker executable acts as a conduit to run a PowerShell script for the Amadey botnet malware and two .NET binaries including one codenamed PackerE.

PackerE downloads an encrypted DLL file which then loads a second malicious file that launches the MassJacker payload by injecting it into a legitimate Windows process called InstalUtil.exe. This encrypted DLL incorporates features to evade and avoid analysis including Just-In-Time (JIT) hooking, metadata token mapping, and a custom virtual machine.

MassJacker also has debugging checks and a configuration which retrieves regular expression patterns for flagging cryptocurrency wallet addresses in the clipboard; it contacts a remote server to download files containing the threat actors lists of wallets. Then, according to CyberArk's security researchers, it creates an event handler to run whenever the infected system copies anything. The handler checks the regexes, and when it finds a match it simply replaces the copied content with a wallet belonging to the hackers.

CyberArk says it has identified over 778,531 addresses belonging to the threat actors responsible for MassJacker; however, 423 of these wallets currently contain funds totaling roughly $95,300. The digital assets previously held in those wallets prior to them being transferred stands at approximately $336,700. Cryptocurrency worth $87,000 has been found being held in a single wallet, with over 350 transactions funneling money into the wallet from different addresses.

No information is available yet on who is behind MassJacker though the source code shows that it overlaps with the MassLogger malware which also used JIT hooking to resist analysis efforts.

How to stay safe from clipper malware

A woman using her laptop securely with a cup of coffee in hand

(Image credit: Shutterstock)

Just like with some other malware strains, getting infected by MassJacker is completely avoidable. As long as you're not downloading pirated software, you should have nothing to worry about at least for now.

To keep your devices protected from malware that can slip through the cracks though, you should be using the best antivirus software on your Windows PC or the best Mac antivirus software on your Apple computer. These security programs continually scan all of your existing files and any new ones you try to download for malware.

As for keeping your cryptocurrency transactions safe, it might be worth investing in one of the best laptops or even one of the best computers and using that machine solely for crypto. This might sound a bit drastic but by keeping the rest of your online activity separate from your crypto transactions, you can avoid having your funds stolen by malware like MassJacker or by phishing attacks designed to steal your recovery phrase which you should save the old fashioned way on a piece of paper in a secure location as opposed to on your computer or in one of the best password managers.

Since recovering lost cryptocurrency is almost impossible, hackers will likely continue to target crypto users online. This is why you need to be extra careful and practice excellent cyber hygiene when dealing with digital currencies.

More from Tom's Guide

Amber Bouman
Senior Editor Security

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps. 

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
One phone with skull and crossbones on screen among several other clean-looking phones.
Malicious iPhone apps are spreading screenshot-reading malware on the Apple App Store — how to stay safe
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
Malware
New macOS malware uses Apple's own code to quietly steal credentials and personal data — how to stay safe
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
A hacker typing quickly on a keyboard
Thousands of WordPress sites hijacked to spread Windows and Mac malware - how to stay safe
Latest in Malware & Adware
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
Latest in News
3D printed model of alleged iPhone 17 Air design
iPhone 17 Air — these 5 big revelations have me excited for the first truly new iPhone in years
NYTimes Connections
NYT Connections today hints and answers — Tuesday, March 18 (#646)
Igor
The Roku Channel is streaming one of my favorite kids' movies for free
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
The Find my People feature
Android Find My can now track your friends and family — here's how to use it
Foldable iPhone concept image
Are you sitting down? Here’s what the foldable iPhone could cost