Context
On March 29, 2023, Trend Micro security researchers reported a new malware they named “OpcJacker.” According to the report, OpcJacker includes multiple capabilities such as:
- Keylogging
- Taking screenshots
- Stealing sensitive data from browsers
- Loading additional modules
- Replacing cryptocurrency addresses in the clipboard for hijacking purposes
Trend Micro researchers assessed that:
- The primary objective of the malware is to steal cryptocurrency from wallets, and
- OpcJacker could still be in development and testing stages based on test-related test IDs in analyzed samples
Technical Details
Trend Micro researchers reported multiple campaigns delivering OpcJacker via fake virtual private network (VPN) advertisements. According to researchers, “The malware is loaded by patching a legitimate DLL library within an installed application, which loads another malicious DLL library.”
Additionally, researchers reported that “OpcJacker mostly drops (or downloads) and runs additional modules, which are remote access tools — either the NetSupport RAT or a hidden virtual network computing (hVNC) variant.”
IOCs
Trend Micro researchers provided the following indicators of compromise (IOCs):
| Indicator | Type | Notes |
| FEB3AB1217F993D9214B B0E1A9561709BD9A1172 CEEE719FA9051D9FA6AA 9622 |
SHA256 | Archive file (malvertising campaign) |
| 565EA7469F9769DD05C 925A3F3EF9A2F9756FF 1F35FD154107786BFC6 3703B52 |
SHA256 | Installer (malvertising campaign) |
| 13ED3739782EB2FEAE32 AA2176CD8B0C0B5F9E4 5259B1C22FFE960B5FEF 31FFC |
SHA256 | Patched DLL (malvertising campaign) |
| 7F29C4EE1CE8C8D3CD04 AC2BCEB9A48763900E4A A298368310F3CCD9C782D 86E |
SHA256 | Malicious DLL (malvertising campaign) |
| 09D3A3EAB810CD5DC37641 F4F74B6DE7F634589D68F6A 990B8F5296E4E48501D |
SHA256 | ISO file (older campaigns) |
| 388BBD8B592CEBE4A0A323 51969FE2E19E454AF24FF66 83524C71F74E0320AC0 |
SHA256 | ISO file (older campaigns) |
| 3DD172BF8A7E2985F8387 FFC4B6F2FC3EE05435B69A 43D714D3137D9A5147127 |
SHA256 | ISO file (older campaigns) |
| 5CFF2193811FF0103DD8F0 5ECDF3416164648468CBE7 E870594EEC57EDD87B1C |
SHA256 | ISO file (older campaigns) |
| 76B3D17196DD9E99EADD46 E8BC760EC8809A0C723F66 FB687AB8576DD1299E34 |
SHA256 | ISO file (older campaigns) |
| 8A32BF7E28FBA8461A44EFEB 77BBF61D13111EEC960EFCF2 7E088FB95D77D91E |
SHA256 | ISO file (older campaigns) |
| BE5ABB0C31679BE378F4BE5 D8D099F37E7DB1BBF3122BE 1F38F7DF2B086A0A02 |
SHA256 | ISO file (older campaigns) |
| C1DADB7ED2A9BA97B D440DCFC18519DA588 7F473D9F635A0975D7 42FA3F80EE6 |
SHA256 | ISO file (older campaigns) |
| EFB0BB2FA8929E4889E B982D7351E844AF05B7E FD0D0B721A2911D89F0A 66EEA |
SHA256 | ISO file (older campaigns) |
| 0097A6BDAC122BD4EEE A03142B319B96ED39 77D AC703D78EE98241C43BC 2C2C0 |
SHA256 | Installer (older campaigns) |
| 0A64984C1E2454458CF52D72 8710966F523887C64CD575B7 E20287A55ECE37E2 |
SHA256 | Installer (older campaigns) |
| 0B2498C984C35D8C485D 64CBD146ACAA25B2E05A CFAE76EFC2776E72DE05 EB0F |
SHA256 | Installer (older campaigns) |
| 350180B0AF74453BE42B8 965DCBC09849B2D73A7A3 E40050CD894F24DD280C38 |
SHA256 | Installer (older campaigns) |
| 35CB687175871C875E741370 29AEE73373E125F76666A9846 92DCB47B4FCDB18 |
SHA256 | Installer (older campaigns) |
| 371EB99803DF2CA6481EADD 40E176BC3E968238B11D0D7 B1001B97455FF4BBE1 |
SHA256 | Installer (older campaigns) |
| 3743A76F5A4A709236CCAC3 9DA482154ABBCEE35A8DDA8 0230304E44620307B0 |
SHA256 | Installer (older campaigns) |
| 609E04639A80A270FCB125 48B6F3C03F9AE34B4589051 20B3765B9FAF48E6FAF |
SHA256 | Installer (older campaigns) |
| 68F54DA86189841C040DBFD 3BF1985492C621AD99B62DF8 95A16D5DB900B4968 |
SHA256 | Installer (older campaigns) |
| 6BF95E99682B1BA114A6A63 9F20715BC10A316E3C6B79A 12C83E105E94FBF373 |
SHA256 | Installer (older campaigns) |
| 7749809E7BEC6CDE04B8042D7 C6A4212ADBDD71C73AA32E900 4784D7D44C5457 |
SHA256 | Installer (older campaigns) |
| 7829B07BEA9AB1972FE61112 DDD95AF2320349B97EFC05756 177DAF92D34A0EE |
SHA256 | Installer (older campaigns) |
| 813C56703736EB752B2A63 ED823E7C17C40E12A1A7000 4298DE9CC2C3DFD8CCC |
SHA256 | Installer (older campaigns) |
| 8E61894BDBD5E1C817754A EBE6AFC705D81E1D70EB330 E59DE419810985566DE |
SHA256 | Installer (older campaigns) |
| 900007491002DEBE93C5FB130 D7514AFE7EE3B84EC33494D75 C0E575F1A0982D |
SHA256 | Installer (older campaigns) |
| 955F6130CECB2012644699E6 AD37AC60DBAD7214DFAAC79 FD2A771451DA5F158 |
SHA256 | Installer (older campaigns) |
| A7729778CFC1C739A7C9DF267 AC7A6378A595140A6238C82B7 CE2F08BB49589B |
SHA256 | Installer (older campaigns) |
| A8E36C87B13E47B622E49D47 5449C892C9DD52BD496AE865 3B4804A8CE7E1C7F |
SHA256 | Installer (older campaigns) |
| AAE49AA30FF57D97291D3 783A1717B3D80E1F67291A 04BCF13B158F733C4274C |
SHA256 | Installer (older campaigns) |
| AECE788681D2A7A3BC76F 78C65EC5418138DBD 1F08BC042C4EF18C8294 6795C2 |
SHA256 | Installer (older campaigns) |
| AF7DDAA90B42EDD1D35FAD9 C1C81D5E0548B0C40B38F23B C2E2ED3E8EE8DB03F |
SHA256 | Installer (older campaigns) |
| B6B7C1D52D9D6A3EF0734851 45E49D36EAFAC70CB0C8E0C94 EEDC115CD4A25EE |
SHA256 | Installer (older campaigns) |
| B715F22A9E37049D09B06 C26CA899C4BE3C6C21386 F70D6D357B3BD481EE1794 |
SHA256 | Installer (older campaigns) |
| C5B499E886D8E86D0D85D 0F73BC760516E7476442D 3DEF2FEEADE417926F04A5 |
SHA256 | Installer (older campaigns) |
| F0778EF6A8D569A4C3E0C23 97CFC3B46C8A34AFA2CB56B 1211AD9EA7DD962299 |
SHA256 | Installer (older campaigns) |
| FFE9068A2C192FF8BBE3D70 49D56FB3BA459C3822B5603 6E3EED7F5C07E118E1 |
SHA256 | Installer (older campaigns) |
| 0489E667F339A52B6804D2F553 53C7DE8CC50FCE6A6CA1F98C81 A2D78657EB85 |
SHA256 | Patched DLL (older campaigns) |
| F210954C65B90A47BE99CD8B9 77900E7A6CB6F04D5BA48FD8B3 15E586FF1F195 |
SHA256 | Patched DLL (older campaigns) |
| A9FB96412E739F17075ED1DBA6 B0E4442E0EFCE06B33F657ECDF C33F115FF676 |
SHA256 | Patched DLL (older campaigns) |
| 98390078ED7D1077C07C09F2C50 80465CB1B9AAC191CD554CC416F 63D9A24B87 |
SHA256 | Patched DLL (older campaigns) |
| 4B5FDA9D2CE0C3DAE68CF1 F0CF8805B25D547F4FF9F68 8C7DCF77C997A602C73 |
SHA256 | Patched DLL (older campaigns) |
| CFCE71839B1F7ACA5E32FB7 2905F6E3AC4569982B47164 EF25CD912699476811 |
SHA256 | Patched DLL (older campaigns) |
| 13ED3739782EB2FEAE32AA 2176CD8B0C0B5F9E45259B1 C22FFE960B5FEF31FFC |
SHA256 | Patched DLL (older campaigns) |
| 3E55BC263F473177EF12DB880 21597A370E1A305EA33576E220 D36E19671A430 |
SHA256 | Patched DLL (older campaigns) |
| 79CB81C74B994B2B2DD351BB 567C82E64C666192E25B8D571 D00CAFFD3FDEF76 |
SHA256 | Patched DLL (older campaigns) |
| 032D251F6FCD1B095792 AFFA73FCAB72E3DD13E CE54B4B6F72E16EBE3B8 5E583 |
SHA256 | Patched DLL (older campaigns) |
| D2729637265D3247B8872371A 8579E3E042519EDEA0CED83 C512163F66DF554A |
SHA256 | Patched DLL (older campaigns) |
| 26E2637290A5691DAD106 FF1A0B1F23A3D6E5527655 B0791FFB2AA4449ADE855 |
SHA256 | Patched DLL (older campaigns) |
| 49D9182FFBBAFBEB634C 15548A00931A9465E17B1D C5CAEE995C56B70FA33EC2 |
SHA256 | Patched DLL (older campaigns) |
| F13E014CE258DC5FF00E43 BD274751F773DF0EEFD69E 44EF7EE4CE45461CC5E0 |
SHA256 | Patched DLL (older campaigns) |
| 1D3581DAA5E60802B7A3382 A03B1447A3F69593C6CD09C 1FD4F3FEDA862042D4 |
SHA256 | Patched DLL (older campaigns) |
| 47B616DC8CAFC75E8A975 F2DF508539AA0CC41C328 539F243D0FE93AFE25136D |
SHA256 | Patched DLL (older campaigns) |
| 1E75C0AACF39257B626018 EBB4A6C790E29BB47FA17 76E9099C5B0028BBD564B |
SHA256 | Patched DLL (older campaigns) |
| E00B8B5AE5A8437186BCFB 4115E2466590753F8C268609 E5D62FD7F438C7FAAE |
SHA256 | Patched DLL (older campaigns) |
| 4705E0AB85C59D783E2094 45AD57B402ACB6CD999CCD A82B9BFAA185C10948EE |
SHA256 | Patched DLL (older campaigns) |
| B42BCB8ACBA2822D71A84 608EE5DA3C8CF80530EB0 D09F74D7F12CBEBBEBB599 |
SHA256 | Patched DLL (older campaigns) |
| 87EB8BC7404A7F7019DDA0589 6831F77649479DBE761AC1EFC 8AF37E4EA2BCB0 |
SHA256 | Patched DLL (older campaigns) |
| 221F766BBF6705BB502A9ABB 1E6AD363A3A10DAF08404360 5F069AC38E86528C |
SHA256 | Patched DLL (older campaigns) |
| A533CA19AD0F98FFC58C461A FC3E7612F297135762252ED78 F8BE82E71BE31E9 |
SHA256 | Patched DLL (older campaigns) |
| F46076AA03B64DA37D0C3E9A 6B336FE276E60B0288C9351F7 089B0605057323D |
SHA256 | Patched DLL (older campaigns) |
| 07A0873764FE9150252B56A84 BACEE9D62FDF1F4529B1C92E9 263A6314DBED7B |
SHA256 | Malicious DLL (older campaigns) |
| F210B8D8E984DF19B27FB6184 ED0212467C219B418B94B0100 3D5E6C11EFDEF3 |
SHA256 | Malicious DLL (older campaigns) |
| 653D4CA3DF3C44D7CCF87 6FBFECBC32C09462A0F72 830CB3DEE57118F3097661 |
SHA256 | Malicious DLL (older campaigns) |
| BB65B98C75ADE7CBBF05 D35E7A15B3C220F6E2C32 62A5103F4D0844D1409289E |
SHA256 | Malicious DLL (older campaigns) |
| E74FA53CC4580D18DEF6E2 F27CCCE51C8B9634D3532F5 406F6DD7DC7D0E15157 |
SHA256 | Malicious DLL (older campaigns) |
| 2B45D9E7E9DA3D024C989 1C43DC06C155A8A71A4BD F9B6A0EB522EAB2744275B |
SHA256 | Malicious DLL (older campaigns) |
| F31FDEAEB4D38D2E3D3C5 994BD65C87A669B7530933 DE881319FA07830B5ADC4 |
SHA256 | Malicious DLL (older campaigns) |
| F5FE3540415B9CDA7AE2F 580ADAE1B8B40990C0974 1ED3CFE36A9BAFFFDC192A |
SHA256 | Malicious DLL (older campaigns) |
| 968FB7C732D99D45C39685C F5F30C104BE13EC50E3789D 68405A333B9000A812 |
SHA256 | Malicious DLL (older campaigns) |
| CF95BDFD3A75F32AB964210 4AEE2AB879E90A4B7914329 51C360029815FF577F |
SHA256 | Malicious DLL (older campaigns) |
| 7BA2FD9C4DD159B1CFC9C 693826EE10C2FBB6922E08 DAB5AA7EF2CAA60C1EADC |
SHA256 | Malicious DLL (older campaigns) |
| BA94BFE5BCF3197F1E571AD A6B710C4267283C596C0963 5182597DD46018043E |
SHA256 | Malicious DLL (older campaigns) |
| 85E9F28BC839619CF1DF3EC 9115CDA40741D2D169BAA93 FC8144A8957D23AA88 |
SHA256 | Malicious DLL (older campaigns) |
| A37B3818A1706D3003C41EE 30B6DFA9A2B3E6898B71B2D 00497889A1EB91A7E9 |
SHA256 | Malicious DLL (older campaigns) |
| 09BD3D062D2F57BB82C47857 298278578464CECAB1F29B1B 8CBBA83F5AB9A3DE |
SHA256 | Malicious DLL (older campaigns) |
| ECAF6DA2A4DBE72FCA16B9A 758ED0BC2751884D93154112 85555D8781617EF58 |
SHA256 | Malicious DLL (older campaigns) |
| 37EA5C9C4779619E5F8E5 46C920BDAAF192B29E974 36B82F77ED25D55BE23E8C |
SHA256 | Malicious DLL (older campaigns) |
| 0E0502F9945A3A874387E6 5A49C9BBB9F19F51CD9A5E 96448ECAF24F62C67DD0 |
SHA256 | Malicious DLL (older campaigns) |
| 74081C1779AFC036E4DD3BA 17111829F1E98FF2DD090362 E290359C8E4322188 |
SHA256 | Malicious DLL (older campaigns) |
| 79F868FD318B66B0B9374 A32C8FB5CE5488D5418EF2 66E269CDECB56857387FF |
SHA256 | OpcJacker |
| 2C0D6A36293A0EA88E7 B6D23845755D8A3AC39E BF04944ACBE82EEF25576 53B7 |
SHA256 | NetSupport RAT |
| C1C8FDEC79FE2C133C1B C0790EAC7D01E86A0216 A3FBEC2FFA05597727225657 |
SHA256 | NetSupport RAT |
| 682E839E84C8510B3F47 28743C34277CB22A5B8A16 BC09E7757615B453D6C10E |
SHA256 | NetSupport RAT |
| F991735AA2FD2511053 D615B56A59CAA3DCDED FCEA82D6D42512A07AED DB6DBF |
SHA256 | NetSupport RAT |
| ADCBABBC51D07202087 B6D5911EFF2ADA0D128 E85F252B8B954535C3DB 1460C0 |
SHA256 | NetSupport RAT |
| 938F2A778F092950D73C4 F84BF7916A8AE48DC38A9 2ED3A2D2403D9EC8327E6C |
SHA256 | NetSupport RAT |
| 708C2A26A836ABF057F0 C03FE174DCB9E3044C36 3845C93A1F233552160AD480 |
SHA256 | NetSupport RAT downloader |
| C68096EB0A655924CA840 EA1C71F9372AC055F299B5 2335AD10DDFA835F3633D |
SHA256 | NetSupport RAT downloader |
| BBB8373549079C5FCF5B78 A2A68CDF314D5814AAD5FD D2F3493D0BC3929993E1 |
SHA256 | NetSupport RAT downloader |
| 1ADE68B2AC855730719 E36BC46A981082E99A FB67670F0A00AB7F9E B76D5500A |
SHA256 | NetSupport RAT downloader |
| D4D02D34C9030CB481ED0 6F17BE601FFF474840CDCC 260C7D740668536837EB4 |
SHA256 | NetSupport RAT downloader |
| 914DA01D63BDE3964DB AAA45F2DA93DA451A0D9 6919BC5ED054E7102520D 833B |
SHA256 | NetSupport RAT downloader |
| BD2779B87974A6E55BF 1A3BE54DE3FD122C0D0D8 249FD51855C055911BFD35CB |
SHA256 | NetSupport RAT downloader |
| E8B9FFB303BF651E1BD 471E13E32FA556E25C32 6CE2757573B4FE43027BB7D07 |
SHA256 | NetSupport RAT downloader |
| E8B64C06D1078D9D4276 79A43EF9E932F70AE83B5 0FC5A713D1FDF058019170A |
SHA256 | NetSupport RAT downloader |
| 56E70BAB56F521D1FB5C3A FD99A8C66422105B9D778D5 4F07C24250CB3538529 |
SHA256 | NetSupport RAT downloader |
| F772B652176A6E40012969 E05D1C75E3C51A8DB44712 45754975678F04DEDAAA |
SHA256 | hVNC |
| EF6500E8A1743E01840063 544CD4E880ABCFE489283C 0B32920F9347A77AC4E6 |
SHA256 | hVNC |
| 849DBD23546AAE1DB8648 DD24992AAAA84FE61739D FB5C06704CCD83078C5640 |
SHA256 | hVNC |
| 94D8827D8FBE8998A8D30 73334FF799455F84557211 E2B407F3C86B69312A6B6 |
SHA256 | hVNC |
| irbxvpn[.]site | URL | Malvertising domain |
| irexvpn[.]site | URL | Malvertising domain |
| irfxvpn[.]site | URL | Malvertising domain |
| irhxvpn[.]site | URL | Malvertising domain |
| irixvpn[.]site | URL | Malvertising domain |
| irkxvpn[.]site | URL | Malvertising domain |
| irqxvpn[.]site | URL | Malvertising domain |
| irtxvpn[.]site | URL | Malvertising domain |
| iruxvpn[.]site | URL | Malvertising domain |
| irwxvpn[.]site | URL | Malvertising domain |
| uhcoxvpn[.]site | URL | Malvertising domain |
| installer-xvpn-n[.]site | URL | Malvertising domain |
| installer-xvpn-k[.]site | URL | Malvertising domain |
| installer-xvpn-h[.]site | URL | Malvertising domain |
| installer-xvpn-g[.]site | URL | Malvertising domain |
| nesupcli[.]com | URL | Delivery server domain |
