OpcJacker is a modular malware discovered in late 2022 that uses a custom VM-like configuration to conceal its logic and load additional payloads. It combines credential theft, clipboard hijacking for cryptocurrency, keylogging, screen capture, and remote-loader capabilities, delivered via fake VPN/malvertising campaigns and ISO/ZIP installers.
#OpcJacker #BabadedaCrypter #NetSupportRAT #hVNC #PhobosCrypter #PhobosRansomware #Iran
#OpcJacker #BabadedaCrypter #NetSupportRAT #hVNC #PhobosCrypter #PhobosRansomware #Iran
Keypoints
- OpcJacker has been distributed since the second half of 2022 and uses a custom file format that resembles VM code to define its behavior, making analysis harder.
- Primary capabilities include keylogging, screenshots, browser data theft, and clipboard-based cryptocurrency address replacement (clipper).
- The malware is loaded by patching a legitimate DLL within an installed app, then loading another malicious DLL that runs shellcode and OpcJacker from data-file chunks (loader/cryptor chain).
- Delivery involves fake websites and malvertising, with Iran geotargeting; campaigns push fake crypto apps/VPN and deliver OpcJacker via archives (ISO/RAR/ZIP).
- OpcJacker drops or downloads remote-access modules (NetSupport RAT or hvnc) and can load the Phobos Crypter/Phobos ransomware payloads.
- The malware implements persistence (registry, startup, task scheduler) and includes a clipper, keylogger, and capabilities to load embedded RAT modules; it also enumerates cryptocurrency wallet extensions and browsers.
MITRE Techniques
- [T1547.001] Registry Run Keys/Startup Folder – Uses startup registry keys to achieve persistence. Quote: “Used for persistence (registry; HKCU)”
- [T1053.005] Scheduled Task – Uses the Windows Task Scheduler for persistence. Quote: “Used for persistence (task scheduler)”
- [T1574.001] DLL Search Order Hijacking – Patches a legitimate DLL in an installed application to load a malicious DLL. Quote: “patching a legitimate DLL library within an installed application, which loads another malicious DLL library”
- [T1027] Obfuscated/Compressed Files and Information – Configuration uses a custom VM-like bytecode to hide behavior. Quote: “The format resembles custom virtual machine code, where numeric hexadecimal identifiers … make the stealer run desired functions.”
- [T1021.001] Remote Services: VNC – Embedded hvnc variant used as a remote access tool. Quote: “remote access tools — either the NetSupport RAT or a hidden virtual network computing (hVNC) variant.”
- [T1105] Ingress Tool Transfer – Loader drops/downloads and runs additional modules (remote-Access tools). Quote: “the malware … drops (or downloads) and runs additional modules, which are remote access tools”
- [T1056.001] Keylogging – The stealer includes a keylogger (as per handler functionality). Quote: “Starts keylogger”
- [T1113] Screen Capture – The malware can take screenshots. Quote: “Writes to screenshots”
- [T1115] Clipboard Data – Clipboard hijacking to replace cryptocurrency addresses. Quote: “monitors the clipboard for cryptocurrency addresses and replaces them with the attackers’ addresses”
- [T1555.003] Credentials from Web Browsers – Steals data from browsers. Quote: “stealing sensitive data from browsers”
Indicators of Compromise
- [File Name] context – RawDigger.exe, mdb.dll, librawf.dll, libpushpp.dll, TradingViewDesktop.zip (and 2 more files)
- [Hash] context – 18DF68D1581C11130C139FA52ABB74DFD098A9AF698A250645D6A4A65EFCBF2D, 49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3
- [Archive] context – CLF_security.iso, TradingViewDesktop.zip, XDag.x64.rar (and 2 more archives)