The primary target of the OpcJacker Crypto malware campaign are unsuspecting users in Iran who were tricked into downloading an archive file that contained the novel Opcjacker malware.
Trend Micro cybersecurity researchers discovered a new malvertising campaign in February 2023 targeting Iranian users and distributing Opcjacker malware. They dubbed the malware Opcjacker due to its opcode configuration design and cryptocurrency-stealing capabilities.
The use of VPNs in malvertising attacks against Iranian users should not be surprising. In October 2022, Iranian hackers were spreading “RatMilad” Android spyware disguised as a VPN app.
MORE CONTEXT
- Iranian group hacking VPNs for “Fox Kitten Campaign”
- Phones of Iran’s protest detainees targeted with spyware
- VPN malvertising hits Persian speakers Baháʼí faith followers
VPN Malvertising Attack Drops Opcjacker
The campaign works through a network of fake websites that promote harmless-looking crypto apps and other software. In the newly analyzed sample, malvertisements were hidden inside a genuine VPN app. Users in Iran were tricked into downloading an archive file that contained the novel Opcjacker malware.
How Does the Attack Work?
Malware loads automatically by patching a legit DLL library in an installed program, which loads the next malicious DLL library. This library eventually runs the shellcode that contains the loader and runner of another malicious app. This app is different from Opcjacker as it has been assembled from data chunks stored in files of WAV, CHM, and other formats.
Analyzing Opcjacker
Researchers noted that Opcjacker is a novel and interesting malware. Its configuration file has a custom file format resembling custom virtual machine code that outlines the stealer’s behaviour.
In the configuration file, researchers found numeric hexadecimal identifiers that force the malware to perform certain functions and make it difficult for researchers to identify the malware’s code flow.
“The configuration file format resembles a bytecode written in a custom machine language, where each instruction is parsed, individual opcodes are obtained, and then the specific handler is executed,” researchers wrote in the report.
Opcjacker’s Capabilities and Functionalities
In this campaign, scammers have concealed Opcjacker through a crypter called Babadeda. It uses the configuration file for activating the malware’s data-stealing capabilities, running arbitrary shellcode, and other executables.
The malware’s functions include capturing screenshots, keylogging, loading new modules, stealing private/sensitive user data from browsers, and hijacking cryptocurrency wallets by replacing addresses in the clipboard.
In addition, Opcjacker can deliver next-stage payloads like NetSupport RAT along with an hVNC (hidden virtual network computing) variant to allow the attacker remote access.
Researchers believe the campaign is financially motivated because Opcjacker can steal cryptocurrency. The malware is being distributed in the wild since at least mid-2022 in different malvertising campaigns but it is still evolving and under active development.