Bitdefender discovered a new evasive cryptocurrency stealer stealer dubbed BHUNT that is able to exfiltrate wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and data from the clipboard.
BHUNT is a modular stealer written in .NET, its binary files are heavily encrypted with commercial packers such as Themida and VMProtect. The samples identified by the experts are digitally signed with a digital certificate issued to a software company, but Bitdefender pointed out that the digital certificate does not match the binaries.
The samples analyzed by Bitdefender uses encrypted configuration scripts that are downloaded from public Pastebin pages. According to the experts, the malware spreads via cracked software installers and infected users in multiple countries, including Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the US.
“We noticed in our telemetry that the initial dropper process (msh.exebDQGbmsn.exeZDVODXQFKHGIURPbexplorer.
exebWKDWFRQWDLQVLQMHFWHGFRGH0RVWLQIHFWHGXVHUVDOVRKDGVRPHIRUPRIFUDFNIRU:LQGRZV.06RQWKHLU systems.” reads the report published by Bitdefender. “We could not capture any installer for those cracks, but we suspect they delivered the dropper for the cryptocurrency stealer. This technique is very similar to how Redline stealer delivers its payloads through fake
cracked software installers.”
The attack chain starts with the execution of an initial dropper, which writes to disk heavily-encrypted binaries that are then used to launch the main component of BHUNT. The samples identified appear to have been digitally signed with a digital certificate issued to a software company, but the digital certificate does not match the binaries. The cryptocurrency stealer has a modular structure, some of the modules analyzed by the researchers are:
“BHUNT stealer exfiltrates information about cryptocurrency wallets and passwords, hoping for financial gain.” concludes the report that also includes Indicators od Compromise (IoCs). “Its code is straightforward and the delivery method is similar to that of existing successful malware, like Redline stealer.
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, BHUNT)