Cybersecurity specialists have uncovered OpcJacker, a new malware strain, that has been targeting cryptocurrency users since mid-2022.
This malicious software spreads via counterfeit VPN services and uses a unique configuration approach to make analyzing its code flow challenging for experts.
The malware's primary functions include recording user input, capturing screenshots, stealing sensitive browser data, loading extra modules and swapping cryptocurrency addresses in the clipboard to hijack transactions. Researchers have observed that malicious software is disseminated through various schemes, including those that disguise it as cryptocurrency-related applications or legitimate software.
Earlier this year, fraudulent ads aimed at Iranian users impersonated legitimate VPN services. Victims were deceived into downloading a malware-infected archive file by being redirected to a compromised website.
The malware operates by modifying a legitimate library within an installed application, which subsequently loads another harmful library.
This library assembles and executes a shellcode responsible for loading and running the malware from data chunks stored in different file formats.
The loader, which has been active for over a year, underwent minor modifications before incorporating an entirely new payload consisting of data-stealing and hijacking capabilities.
Users are advised to be cautious when downloading VPN services or cryptocurrency-related applications from unfamiliar websites.