OpcJacker Malware Uses Fake VPN to Spread

Since the second half of 2022, cybersecurity experts have identified a new form of malware that steals information called OpcJacker. According to researchers from Trend Micro, this malware can perform a variety of malicious activities, including keylogging, taking screenshots, stealing sensitive data from web browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for the purpose of hijacking.

The malware is distributed through a network of fake websites that promote seemingly harmless software and cryptocurrency-related applications. The recent campaign, which occurred in February 2023, targeted Iranian users by pretending to offer a VPN service.

Once downloaded, the installer files deploy OpcJacker, which can deliver further payloads, such as NetSupport RAT and a hidden virtual network computing (hVNC) variant, to enable remote access. The malware uses a crypter called Babadeda to conceal itself and can run arbitrary shellcode and executables.

During the February 2023 campaign, researchers discovered that OpcJacker was being disseminated through malvertisements that were specifically targeted at users in Iran. These malvertisements were associated with a malevolent website that was disguised to resemble a legitimate VPN software site. The content of the site was copied from a reputable commercial VPN service, but the links were altered to direct users to a corrupted website that hosted malicious content.

The malevolent website checked the IP address of the client to determine if the user was using a VPN service. If the IP address did not belong to a VPN service, the website then redirected the user to a second corrupted website designed to entice them into downloading an archive file that contained OpcJacker. It is important to note that the attack would not proceed if the victim was utilizing a VPN service.

How Can Infostealing Malware like OpcJacker Compromise Your Digital Security?

Infostealing malware like OpcJacker can compromise your digital security in several ways. Firstly, OpcJacker can infiltrate your device without your knowledge and consent, which means that it can evade your anti-virus and anti-malware software. Once installed, OpcJacker can carry out a range of malicious activities, such as keylogging, screenshotting, and data theft from your web browsers, which can expose your sensitive information, including login credentials, credit card details, and personal data.

Moreover, OpcJacker can replace cryptocurrency addresses in your clipboard with its own, which means that if you make a cryptocurrency transaction, it will divert the funds to the attacker's wallet instead of the intended recipient's wallet. This can result in significant financial losses for you.

Furthermore, OpcJacker can deliver additional payloads, such as NetSupport RAT and hVNC, which can enable remote access to your device by the attacker, allowing them to take control of your device, steal more information, and even use your device as part of a botnet to carry out further cyberattacks.

To prevent infostealing malware like OpcJacker from compromising your digital security, it is essential to keep your anti-virus and anti-malware software up to date, avoid clicking on suspicious links and attachments, use a reputable VPN service, and regularly back up your data to minimize the impact of a potential attack.