Cryptocurrency experts detect large-scale phishing with 778,000 fake cryptocurrency wallets

CyberArk specialists have detected a large-scale MassJacker cyberattack, in which attackers use more than 778,000 fake cryptocurrency wallets to redirect digital assets to their accounts.

At the time of the study, 423 wallets with $ 95,300 were identified, but transaction analysis indicates much larger losses. The central hub of the scheme is a wallet on the Solana network SOL $146.74 Binance-Peg SOL -2.98% Market capitalization $0.16 billion VOL. 24 hours $0.28 billion , which has already received more than $ 300,000.

MassJacker is a «clipper» type malware that monitors the clipboard and automatically replaces copied crypto wallet addresses with malicious ones. Victims of the attack mistakenly transfer funds to hackers' accounts instead of where they intended.

The virus is spread via the website pesktop[.]com, which hosts pirated software and malicious files. After downloading the infected installer, a script is launched that activates the Amady botnet and two downloaders — PackerE and PackerD1. The latter contains mechanisms to protect against detection, including hiding function calls and a virtual machine to execute commands. As a result, MassJacker is injected into the legitimate Windows InstalUtil. exe process, which makes it difficult for antiviruses to detect.

The analysis showed that MassJacker has similarities with another malware, MassLogger. They use the same protection methods and similar attack mechanisms, which may indicate the activities of the same group of hackers.

CyberArk urges cybersecurity professionals to pay attention to this threat, because although the stolen amounts may seem small, the attack can provide valuable information about the methods of cybercriminals and their large-scale campaigns.