OpcJacker is a new type of malware that has been spotted in the wild since the second half of 2022. This malware is part of a malvertising campaign and its main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes. The initial vector of the campaign involves a network of fake websites advertising seemingly innocuous software and cryptocurrency-related applications. The February 2023 campaign specifically targeted users in Iran under the pretext of offering a VPN service. The installer files for the VPN service act as a conduit to deploy OpcJacker, which is also capable of delivering next-stage payloads such as NetSupport RAT and a hidden virtual network computing (hVNC) variant for remote access. OpcJacker is concealed using a crypter known as Babadeda and makes use of a configuration file to activate its data harvesting functions. It can also run arbitrary shellcode and executables. Given the malware's ability to steal crypto funds from wallets, the campaigns are suspected to be financially-motivated. That said, OpcJacker's versatility also makes it an ideal malware loader.
top of page
bottom of page