A new evasive crypto wallet stealer named BHUNT has been spotted in the wild with the goal of financial gain, adding to a list of digital currency stealing malware such as CryptBot, Redline Stealer, and WeSteal.
“BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard,” Bitdefender researcher said in a technical report on Wednesday.
The campaign was distributed worldwide in Australia, Egypt and Germany. It is believed that the compromised software installers delivered it to systems across South Africa, South Africa, Spain, Indonesia, Japan. Malaysia, Norway. Singapore.
The modus operandi of using cracks as an infection source for initial access mirrors similar cybercrime campaigns that have leveraged tools such as KMSPico as a conduit for deploying malware. Researchers found that most infected people also had a crack for Windows (KMS), which they reported to the authorities.
The attack sequence starts with the execution of an initial dropper, which proceeds to write heavily-encrypted interim binaries that are then used to launch the main component of the stealer — a .NET malware that incorporates different modules to facilitate its malicious activities, the results of which are exfiltrated to a remote server —
- blackjack – steal wallet file contents
- chaos-crew – download additional payloads
- golden7 – siphon cookies from Firefox and Chrome as well as passwords from clipboard
- Sweet_Bonanza – steal stored passwords from browsers such as Internet Explorer, Firefox, Chrome, Opera, and Safari, and
- mrpropper – clean up traces
The information theft could also have a privacy impact in that the passwords and account tokens stolen from the browser cache could be abused to commit fraud and to gain other financial benefits.
“The most effective way to defend against this threat is to avoid installing software from untrusted sources and to keep security solutions up to date,” the researchers concluded.
