A new modular crypto wallet stealing malware called “BHUNT” has been spotted targeting cryptocurrency wallet content, passwords and passphrases.
This is another crypto stealer added to a lot of malware that targets digital currency, but it deserves special attention due to its stealthiness.
Infectious vector
The discovery and analysis of the new BHUNT malware comes from Bitdefender, which shared its findings with Bleeping Computer ahead of publication.
To evade detection and trigger security warnings, BHUNT is packaged and heavily encrypted using Themida and VMProtect, two virtual machine packers that hinder reverse engineering and analysis by researchers.
The threat actors signed the malware executable with a digital signature stolen from Piriform, the creators of CCleaner. However, since the malware developers copied it from an unrelated executable, it is marked as invalid due to binary incompatibility.
Source: Bitdefender
Bitdefender discovered that BHUNT is injected into explorer.exe and is likely delivered to the compromised system via KMSpico downloads, a popular utility to illegally activate Microsoft products.
KMS (Key Management Services) is a Microsoft license activation system that software hackers frequently abuse to activate Windows and Office products.
BleepingComputer recently reported a similar case of malicious KMSPico activators dropping cryptocurrency wallet thieves onto hackers’ systems.
This malware has been detected worldwide, with its highest concentration of infected users in India, as shown in the heatmap below.
Source: Bitdefender
BHUNT Modules
The main component of BHUNT is “mscrlib.exe”, which extracts other modules that are launched on an infected system to perform various malicious behaviors.
Source: Bitdefender
Each module is designed for a specific purpose ranging from stealing cryptocurrency wallets to stealing passwords. Using a modular approach, hackers can customize BHUNT for different campaigns or easily add new features.
The current modules included in the BHUNT executable ‘mscrlib.exe’ are described below:
- black jack – steals the contents of the wallet file, encodes it with base 64 and uploads it to the C2 server
- chaos_crew – download payloads
- golden7 – steals clipboard passwords and uploads files to C2 server
- Sweet_Bonanza – steals information from browsers (Chrome, IE, Firefox, Opera, Safari)
- mrpropper – cleans the traces (argument files)
The targeted portfolios are Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin.
As you can see in the code snippet below, the blackjack module is used to find and steal cryptocurrency wallets from a user’s device and send them to a remote server under the control of the attacker.
Source: Bitdefender
Once the threat actor has access to the wallet seed or configuration file, they can use it to import the wallet to their own devices and steal the contained cryptocurrency.
While BHUNT’s goal is clearly financial, its information-stealing capabilities could allow its operators to collect much more than just crypto-wallet data.
“While the malware mainly focuses on stealing information related to cryptocurrency wallets, it can also harvest passwords and cookies stored in browser caches,” says Bitdefender. report.
“This can include account passwords for social media, banking, etc., which could even lead to an online identity takeover.”
To avoid getting infected with BHUNT, you simply need to avoid downloading pirated software, cracks and activators of illegitimate products.
As has been proven time and time again, the financial savings expected from the use of pirated software are insignificant compared to the damage they can cause to infected systems.
