New “OpcJacker” Malware Includes Infostealing and Crypto Wallet Replacing Capabilities

Trend Micro researchers recently report a new malware titled “OpcJacker.”
Campaign Dropping Cobalt Strike Beacons, RedLine Infostealer, and Amadey Botnet

Context

On March 29, 2023, Trend Micro security researchers reported a new malware they named “OpcJacker.” According to the report, OpcJacker includes multiple capabilities such as:

  • Keylogging
  • Taking screenshots
  • Stealing sensitive data from browsers
  • Loading additional modules
  • Replacing cryptocurrency addresses in the clipboard for hijacking purposes

Trend Micro researchers assessed that:

  • The primary objective of the malware is to steal cryptocurrency from wallets, and
  • OpcJacker could still be in development and testing stages based on test-related test IDs in analyzed samples

Technical Details

Trend Micro researchers reported multiple campaigns delivering OpcJacker via fake virtual private network (VPN) advertisements. According to researchers, “The malware is loaded by patching a legitimate DLL library within an installed application, which loads another malicious DLL library.”

Additionally, researchers reported that “OpcJacker mostly drops (or downloads) and runs additional modules, which are remote access tools — either the NetSupport RAT or a hidden virtual network computing (hVNC) variant.”

IOCs

Trend Micro researchers provided the following indicators of compromise (IOCs):

Indicator Type Notes
FEB3AB1217F993D9214B
B0E1A9561709BD9A1172
CEEE719FA9051D9FA6AA
9622
SHA256 Archive file (malvertising campaign)
565EA7469F9769DD05C
925A3F3EF9A2F9756FF
1F35FD154107786BFC6
3703B52
SHA256 Installer (malvertising campaign)
13ED3739782EB2FEAE32
AA2176CD8B0C0B5F9E4
5259B1C22FFE960B5FEF
31FFC
SHA256 Patched DLL (malvertising campaign)
7F29C4EE1CE8C8D3CD04
AC2BCEB9A48763900E4A
A298368310F3CCD9C782D
86E
SHA256 Malicious DLL (malvertising campaign)
09D3A3EAB810CD5DC37641
F4F74B6DE7F634589D68F6A
990B8F5296E4E48501D    
SHA256 ISO file (older campaigns)
388BBD8B592CEBE4A0A323
51969FE2E19E454AF24FF66
83524C71F74E0320AC0
SHA256 ISO file (older campaigns)
3DD172BF8A7E2985F8387
FFC4B6F2FC3EE05435B69A
43D714D3137D9A5147127
SHA256 ISO file (older campaigns)
5CFF2193811FF0103DD8F0
5ECDF3416164648468CBE7
E870594EEC57EDD87B1C      
SHA256 ISO file (older campaigns)
76B3D17196DD9E99EADD46
E8BC760EC8809A0C723F66
FB687AB8576DD1299E34    
SHA256 ISO file (older campaigns)
8A32BF7E28FBA8461A44EFEB
77BBF61D13111EEC960EFCF2
7E088FB95D77D91E     
SHA256 ISO file (older campaigns)
BE5ABB0C31679BE378F4BE5
D8D099F37E7DB1BBF3122BE
1F38F7DF2B086A0A02     
SHA256 ISO file (older campaigns)
C1DADB7ED2A9BA97B
D440DCFC18519DA588
7F473D9F635A0975D7
42FA3F80EE6     
SHA256 ISO file (older campaigns)
EFB0BB2FA8929E4889E
B982D7351E844AF05B7E
FD0D0B721A2911D89F0A
66EEA       
SHA256 ISO file (older campaigns)
0097A6BDAC122BD4EEE
A03142B319B96ED39 77D
AC703D78EE98241C43BC
2C2C0           
SHA256 Installer (older campaigns)
0A64984C1E2454458CF52D72
8710966F523887C64CD575B7
E20287A55ECE37E2
SHA256 Installer (older campaigns)
0B2498C984C35D8C485D
64CBD146ACAA25B2E05A
CFAE76EFC2776E72DE05
EB0F
SHA256 Installer (older campaigns)
350180B0AF74453BE42B8
965DCBC09849B2D73A7A3
E40050CD894F24DD280C38
SHA256 Installer (older campaigns)
35CB687175871C875E741370
29AEE73373E125F76666A9846
92DCB47B4FCDB18
SHA256  Installer (older campaigns)
371EB99803DF2CA6481EADD
40E176BC3E968238B11D0D7
B1001B97455FF4BBE1   
SHA256 Installer (older campaigns)
3743A76F5A4A709236CCAC3
9DA482154ABBCEE35A8DDA8
0230304E44620307B0
SHA256 Installer (older campaigns)
609E04639A80A270FCB125
48B6F3C03F9AE34B4589051
20B3765B9FAF48E6FAF     
SHA256 Installer (older campaigns)
68F54DA86189841C040DBFD
3BF1985492C621AD99B62DF8
95A16D5DB900B4968    
SHA256 Installer (older campaigns)
6BF95E99682B1BA114A6A63
9F20715BC10A316E3C6B79A
12C83E105E94FBF373     
SHA256 Installer (older campaigns)
7749809E7BEC6CDE04B8042D7
C6A4212ADBDD71C73AA32E900
4784D7D44C5457     
SHA256 Installer (older campaigns)
7829B07BEA9AB1972FE61112
DDD95AF2320349B97EFC05756
177DAF92D34A0EE    
SHA256 Installer (older campaigns)
813C56703736EB752B2A63
ED823E7C17C40E12A1A7000
4298DE9CC2C3DFD8CCC    
SHA256 Installer (older campaigns)
8E61894BDBD5E1C817754A
EBE6AFC705D81E1D70EB330
E59DE419810985566DE     
SHA256 Installer (older campaigns)
900007491002DEBE93C5FB130
D7514AFE7EE3B84EC33494D75
C0E575F1A0982D      
SHA256 Installer (older campaigns)
955F6130CECB2012644699E6
AD37AC60DBAD7214DFAAC79
FD2A771451DA5F158    
SHA256 Installer (older campaigns)
A7729778CFC1C739A7C9DF267
AC7A6378A595140A6238C82B7
CE2F08BB49589B    
SHA256 Installer (older campaigns)
A8E36C87B13E47B622E49D47
5449C892C9DD52BD496AE865
3B4804A8CE7E1C7F
SHA256 Installer (older campaigns)
AAE49AA30FF57D97291D3
783A1717B3D80E1F67291A
04BCF13B158F733C4274C  
SHA256 Installer (older campaigns)
AECE788681D2A7A3BC76F
78C65EC5418138DBD
1F08BC042C4EF18C8294
6795C2     
SHA256 Installer (older campaigns)
AF7DDAA90B42EDD1D35FAD9
C1C81D5E0548B0C40B38F23B
C2E2ED3E8EE8DB03F      
SHA256 Installer (older campaigns)
B6B7C1D52D9D6A3EF0734851
45E49D36EAFAC70CB0C8E0C94
EEDC115CD4A25EE     
SHA256 Installer (older campaigns)
B715F22A9E37049D09B06
C26CA899C4BE3C6C21386
F70D6D357B3BD481EE1794   
SHA256 Installer (older campaigns)
C5B499E886D8E86D0D85D
0F73BC760516E7476442D
3DEF2FEEADE417926F04A5    
SHA256 Installer (older campaigns)
F0778EF6A8D569A4C3E0C23
97CFC3B46C8A34AFA2CB56B
1211AD9EA7DD962299    
SHA256 Installer (older campaigns)
FFE9068A2C192FF8BBE3D70
49D56FB3BA459C3822B5603
6E3EED7F5C07E118E1 
SHA256 Installer (older campaigns)
0489E667F339A52B6804D2F553
53C7DE8CC50FCE6A6CA1F98C81
A2D78657EB85      
SHA256 Patched DLL (older campaigns)
F210954C65B90A47BE99CD8B9
77900E7A6CB6F04D5BA48FD8B3
15E586FF1F195
SHA256 Patched DLL (older campaigns)
A9FB96412E739F17075ED1DBA6
B0E4442E0EFCE06B33F657ECDF
C33F115FF676 
SHA256 Patched DLL (older campaigns)
98390078ED7D1077C07C09F2C50
80465CB1B9AAC191CD554CC416F
63D9A24B87 
SHA256 Patched DLL (older campaigns)
4B5FDA9D2CE0C3DAE68CF1
F0CF8805B25D547F4FF9F68
8C7DCF77C997A602C73
SHA256 Patched DLL (older campaigns)
CFCE71839B1F7ACA5E32FB7
2905F6E3AC4569982B47164
EF25CD912699476811
SHA256 Patched DLL (older campaigns)
13ED3739782EB2FEAE32AA
2176CD8B0C0B5F9E45259B1
C22FFE960B5FEF31FFC
SHA256 Patched DLL (older campaigns)
3E55BC263F473177EF12DB880
21597A370E1A305EA33576E220
D36E19671A430
SHA256 Patched DLL (older campaigns)
79CB81C74B994B2B2DD351BB
567C82E64C666192E25B8D571
D00CAFFD3FDEF76
SHA256 Patched DLL (older campaigns)
032D251F6FCD1B095792
AFFA73FCAB72E3DD13E
CE54B4B6F72E16EBE3B8
5E583 
SHA256 Patched DLL (older campaigns)
D2729637265D3247B8872371A
8579E3E042519EDEA0CED83
C512163F66DF554A    
SHA256 Patched DLL (older campaigns)
26E2637290A5691DAD106
FF1A0B1F23A3D6E5527655
B0791FFB2AA4449ADE855
SHA256 Patched DLL (older campaigns)
49D9182FFBBAFBEB634C
15548A00931A9465E17B1D
C5CAEE995C56B70FA33EC2  
SHA256 Patched DLL (older campaigns)
F13E014CE258DC5FF00E43
BD274751F773DF0EEFD69E
44EF7EE4CE45461CC5E0   
SHA256 Patched DLL (older campaigns)
1D3581DAA5E60802B7A3382
A03B1447A3F69593C6CD09C
1FD4F3FEDA862042D4  
SHA256 Patched DLL (older campaigns)
47B616DC8CAFC75E8A975
F2DF508539AA0CC41C328
539F243D0FE93AFE25136D 
SHA256 Patched DLL (older campaigns)
1E75C0AACF39257B626018
EBB4A6C790E29BB47FA17
76E9099C5B0028BBD564B
SHA256 Patched DLL (older campaigns)
E00B8B5AE5A8437186BCFB
4115E2466590753F8C268609
E5D62FD7F438C7FAAE  
SHA256 Patched DLL (older campaigns)
4705E0AB85C59D783E2094
45AD57B402ACB6CD999CCD
A82B9BFAA185C10948EE  
SHA256 Patched DLL (older campaigns)
B42BCB8ACBA2822D71A84
608EE5DA3C8CF80530EB0
D09F74D7F12CBEBBEBB599 
SHA256 Patched DLL (older campaigns)
87EB8BC7404A7F7019DDA0589
6831F77649479DBE761AC1EFC
8AF37E4EA2BCB0 
SHA256 Patched DLL (older campaigns)
221F766BBF6705BB502A9ABB
1E6AD363A3A10DAF08404360
5F069AC38E86528C  
SHA256 Patched DLL (older campaigns)
A533CA19AD0F98FFC58C461A
FC3E7612F297135762252ED78
F8BE82E71BE31E9
SHA256 Patched DLL (older campaigns)
F46076AA03B64DA37D0C3E9A
6B336FE276E60B0288C9351F7
089B0605057323D
SHA256 Patched DLL (older campaigns)
07A0873764FE9150252B56A84
BACEE9D62FDF1F4529B1C92E9
263A6314DBED7B
SHA256  Malicious DLL (older campaigns)
F210B8D8E984DF19B27FB6184
ED0212467C219B418B94B0100
3D5E6C11EFDEF3
SHA256 Malicious DLL (older campaigns)
653D4CA3DF3C44D7CCF87
6FBFECBC32C09462A0F72
830CB3DEE57118F3097661
SHA256 Malicious DLL (older campaigns)
BB65B98C75ADE7CBBF05
D35E7A15B3C220F6E2C32
62A5103F4D0844D1409289E
SHA256 Malicious DLL (older campaigns)
E74FA53CC4580D18DEF6E2
F27CCCE51C8B9634D3532F5
406F6DD7DC7D0E15157
SHA256 Malicious DLL (older campaigns)
2B45D9E7E9DA3D024C989
1C43DC06C155A8A71A4BD
F9B6A0EB522EAB2744275B
SHA256 Malicious DLL (older campaigns)
F31FDEAEB4D38D2E3D3C5
994BD65C87A669B7530933
DE881319FA07830B5ADC4 
SHA256 Malicious DLL (older campaigns)
F5FE3540415B9CDA7AE2F
580ADAE1B8B40990C0974
1ED3CFE36A9BAFFFDC192A
SHA256 Malicious DLL (older campaigns)
968FB7C732D99D45C39685C
F5F30C104BE13EC50E3789D
68405A333B9000A812 
SHA256 Malicious DLL (older campaigns)
CF95BDFD3A75F32AB964210
4AEE2AB879E90A4B7914329
51C360029815FF577F 
SHA256 Malicious DLL (older campaigns)
7BA2FD9C4DD159B1CFC9C
693826EE10C2FBB6922E08
DAB5AA7EF2CAA60C1EADC
SHA256 Malicious DLL (older campaigns)
BA94BFE5BCF3197F1E571AD
A6B710C4267283C596C0963
5182597DD46018043E
SHA256 Malicious DLL (older campaigns)
85E9F28BC839619CF1DF3EC
9115CDA40741D2D169BAA93
FC8144A8957D23AA88 
SHA256 Malicious DLL (older campaigns)
A37B3818A1706D3003C41EE
30B6DFA9A2B3E6898B71B2D
00497889A1EB91A7E9
SHA256 Malicious DLL (older campaigns)
09BD3D062D2F57BB82C47857
298278578464CECAB1F29B1B
8CBBA83F5AB9A3DE
SHA256 Malicious DLL (older campaigns)
ECAF6DA2A4DBE72FCA16B9A
758ED0BC2751884D93154112
85555D8781617EF58
SHA256 Malicious DLL (older campaigns)
37EA5C9C4779619E5F8E5
46C920BDAAF192B29E974
36B82F77ED25D55BE23E8C
SHA256 Malicious DLL (older campaigns)
0E0502F9945A3A874387E6
5A49C9BBB9F19F51CD9A5E
96448ECAF24F62C67DD0
SHA256 Malicious DLL (older campaigns)
74081C1779AFC036E4DD3BA
17111829F1E98FF2DD090362
E290359C8E4322188
SHA256 Malicious DLL (older campaigns)
79F868FD318B66B0B9374
A32C8FB5CE5488D5418EF2
66E269CDECB56857387FF       
SHA256 OpcJacker
2C0D6A36293A0EA88E7
B6D23845755D8A3AC39E
BF04944ACBE82EEF25576
53B7       
SHA256 NetSupport RAT
C1C8FDEC79FE2C133C1B
C0790EAC7D01E86A0216
A3FBEC2FFA05597727225657
SHA256 NetSupport RAT
682E839E84C8510B3F47
28743C34277CB22A5B8A16
BC09E7757615B453D6C10E
SHA256 NetSupport RAT
F991735AA2FD2511053
D615B56A59CAA3DCDED
FCEA82D6D42512A07AED
DB6DBF
SHA256 NetSupport RAT
ADCBABBC51D07202087
B6D5911EFF2ADA0D128
E85F252B8B954535C3DB
1460C0
SHA256 NetSupport RAT
938F2A778F092950D73C4
F84BF7916A8AE48DC38A9
2ED3A2D2403D9EC8327E6C 
SHA256 NetSupport RAT
708C2A26A836ABF057F0
C03FE174DCB9E3044C36
3845C93A1F233552160AD480       
SHA256 NetSupport RAT downloader
C68096EB0A655924CA840
EA1C71F9372AC055F299B5
2335AD10DDFA835F3633D      
SHA256 NetSupport RAT downloader
BBB8373549079C5FCF5B78
A2A68CDF314D5814AAD5FD
D2F3493D0BC3929993E1
SHA256 NetSupport RAT downloader
1ADE68B2AC855730719
E36BC46A981082E99A
FB67670F0A00AB7F9E
B76D5500A
SHA256 NetSupport RAT downloader
D4D02D34C9030CB481ED0
6F17BE601FFF474840CDCC
260C7D740668536837EB4 
SHA256 NetSupport RAT downloader
914DA01D63BDE3964DB
AAA45F2DA93DA451A0D9
6919BC5ED054E7102520D
833B
SHA256 NetSupport RAT downloader
BD2779B87974A6E55BF
1A3BE54DE3FD122C0D0D8
249FD51855C055911BFD35CB
SHA256 NetSupport RAT downloader
E8B9FFB303BF651E1BD
471E13E32FA556E25C32
6CE2757573B4FE43027BB7D07
SHA256  NetSupport RAT downloader
E8B64C06D1078D9D4276
79A43EF9E932F70AE83B5
0FC5A713D1FDF058019170A
SHA256 NetSupport RAT downloader
56E70BAB56F521D1FB5C3A
FD99A8C66422105B9D778D5
4F07C24250CB3538529
SHA256 NetSupport RAT downloader
F772B652176A6E40012969
E05D1C75E3C51A8DB44712
45754975678F04DEDAAA      
SHA256 hVNC
EF6500E8A1743E01840063
544CD4E880ABCFE489283C
0B32920F9347A77AC4E6       
SHA256 hVNC
849DBD23546AAE1DB8648
DD24992AAAA84FE61739D
FB5C06704CCD83078C5640
SHA256 hVNC
94D8827D8FBE8998A8D30
73334FF799455F84557211
E2B407F3C86B69312A6B6
SHA256 hVNC
irbxvpn[.]site  URL Malvertising domain
irexvpn[.]site URL Malvertising domain
irfxvpn[.]site  URL Malvertising domain
irhxvpn[.]site URL Malvertising domain
irixvpn[.]site URL Malvertising domain
irkxvpn[.]site   URL Malvertising domain
irqxvpn[.]site     URL Malvertising domain
irtxvpn[.]site URL Malvertising domain
iruxvpn[.]site   URL Malvertising domain
irwxvpn[.]site  URL Malvertising domain
uhcoxvpn[.]site  URL Malvertising domain
installer-xvpn-n[.]site  URL Malvertising domain
installer-xvpn-k[.]site URL Malvertising domain
installer-xvpn-h[.]site URL Malvertising domain
installer-xvpn-g[.]site URL Malvertising domain
nesupcli[.]com                                                            URL Delivery server domain

More Recent Blog Posts