Researchers at Trend Micro warn that a new type of malware known as OpcJacker has been active since the second half of 2022 and is being spread through a malvertising campaign, The Hacker News reports.
According to researchers, OpcJacker's first spread vector was online advertisements for software and cryptocurrency-related applications, as well as a VPN service offer for users in Iran. Opening the installer deploys OpcJacker, which is also capable of deploying NetSupport RAT and other payloads as well as a hidden virtual network computing variant to enable remote access. A crypter known as Babadeda conceals the malware, which uses a configuration file to begin its data harvesting functions.
"The configuration file format resembles a bytecode written in a custom machine language, where each instruction is parsed, individual opcodes are obtained, and then the specific handler is executed," Trend Micro said.
The malware's information-stealing functions include keylogging, stealing sensitive browser data, taking screenshots, and clipboard hijacking to change cryptocurrency addresses.