New BHUNT Stealer targets cryptocurrency wallets

Researchers spotted a new evasive cryptocurrency stealer named BHUNT that targets a list of wallets and implements multiple data-stealing capabilities.

Bitdefender discovered a new evasive cryptocurrency stealer stealer dubbed BHUNT that is able to exfiltrate wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and data from the clipboard.

BHUNT is a modular stealer written in .NET, its binary files are heavily encrypted with commercial packers such as Themida and VMProtect. The samples identified by the experts are digitally signed with a digital certificate issued to a software company, but Bitdefender pointed out that the digital certificate does not match the binaries.

The samples analyzed by Bitdefender uses encrypted configuration scripts that are downloaded from public Pastebin pages. According to the experts, the malware spreads via cracked software installers and infected users in multiple countries, including Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the US.

“We noticed in our telemetry that the initial dropper process (msh.exebDQGbmsn.exeZDVODXQFKHGIURPbexplorer.
exebWKDWFRQWDLQVLQMHFWHGFRGH0RVWLQIHFWHGXVHUVDOVRKDGVRPHIRUPRIFUDFNIRU:LQGRZV.06RQWKHLU systems.” reads the report published by Bitdefender. “We could not capture any installer for those cracks, but we suspect they delivered the dropper for the cryptocurrency stealer. This technique is very similar to how Redline stealer delivers its payloads through fake
cracked software installers.”

The attack chain starts with the execution of an initial dropper, which writes to disk heavily-encrypted binaries that are then used to launch the main component of BHUNT. The samples identified appear to have been digitally signed with a digital certificate issued to a software company, but the digital certificate does not match the binaries. The cryptocurrency stealer has a modular structure, some of the modules analyzed by the researchers are:

• blackjack – steal wallet files
• chaos-crew – establish persistence and download additional payloads
• golden7 – steal account tokens from Firefox and Chrome as well as passwords from clipboard
• Sweet_Bonanza – steal stored passwords from supported browsers (i.e. Internet Explorer, Firefox, Chrome, Opera, and Safari)
• mrpropper – delete artifacts from infected system

“BHUNT stealer exfiltrates information about cryptocurrency wallets and passwords, hoping for financial gain.” concludes the report that also includes Indicators od Compromise (IoCs). “Its code is straightforward and the delivery method is similar to that of existing successful malware, like Redline stealer.

• Never install applications from untrusted sources
• Keep your security solution up to date and never turn it off, especially if it blocks the installation of such software.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BHUNT)

[adrotate banner=”5″]

[adrotate banner=”13″]