Some cyber attacks begin with a dangerous email landing in your inbox, others might take a more direct, brute force approach, or exploit multiple zero-day vulnerabilities in Windows. Sometimes, however, they begin with you and your actions, such as the password reuse attack, or, as in the case of MassJacker, greed that can cost you dearly. And MassJacker attacks begin with a search for the wrong thing.
MassJacker Attacks Start With A Dangerous Search
Be careful what you search for, that should be the primary takeaway from this disturbing tale of malware and crypto theft that all begins with what can only be described as a less than harmless search. I’m old enough to remember when pirated software, in particular Amiga games, was distributed on floppy disc through the postal service within Jiffy bags and to people who signed up with a cracking crew on one bulletin board to another. The practice was dangerous even then, with computer viruses and even the first ransomware malware coming along for the ride. Now, of course, things are much simpler for those who would save money on their software, all it takes is a search engine and a click to get to a website where you can download the booty. Simpler, but still dangerous. Such a search for pirated software is where the MassJacker attacks begin.
MassJacker is a previously unknown strain of cryptojacking malware, discovered recently by threat analysts at CyberArk. According to Ari Novick, a malware researcher at CyberArk Labs, who authored a report into the threat, people searching for pirated software who find themselves at a site operated by the MassJacker threat actors will soon be in a whole heap of trouble. The MassJacker malware download, should a victim take the bait, “executes a cmd script followed by a PowerShell script that downloads three more executables,” Novick said. All of this in order to pull off cryptocurrency theft. “Cryptojacking works,” Novick explained, “by replacing the addresses of crypto wallets copied by the user with ones belonging to the attacker in the clipboard.” This can then lead, through further tricking of the victim, into transferring money to the attacker’s address, the attacker’s wallet. Novick warned that the CyberArk analysis had discovered at least 750,000 unique addresses that were being used by MassJacker, and one of these wallets was worth $300,000 alone.
Mitigating The Massjacker Dangerous Search Cryptojacking Threat
“This kind of malware isn’t nearly as famous as ransomware or even infostealer malware,” Novick said, adding that it’s possible that there aren’t as many of them or not as profitable as other kinds of attack. “Another possibility is that they are more challenging to identify,” Novick continued, not least as a cryptojacker will only perform malicious behavior under very specific circumstances and so might go unnoticed in a sandbox.
Of course, mitigation against such attacks is still possible and the number one mitigation on the list when it comes to MassJacker has to be do not search for pirated software. Second is not to download software from sites that are offering pirated software. Pirated software is bad, m’kay.