CryptBot spreads disguised as cracked software

CryptBot was first discovered in 2019 and has exploded again recently. The latest version of CryptBot has been significantly simplified and only contains information stealing functions. The sample size is much smaller than before.

CryptBot targets sensitive user data such as browser login information, cryptocurrency wallets, stored credit card information, passwords, and more. The collected information will be sent back to the C&C
server and sold for financial gain.

Crack software website

CryptBot
has recently been distributed through cracked software websites, which provide cracked versions of common games and other software. Attackers bundle and spread malware in this way, allowing victims to unknowingly download and execute malicious samples.

technical analysis

CryptBot's attack chain begins when the victim visits a compromised page to download an SFX file, such as one disguised as the latest version of Adobe Photoshop.

image.png-303.8kB Web page example

Subsequently, 7ZSfxMod_x86.exedownload the SFX file named to your machine.

image.png-185.4kB Malicious files

After unzipping, 7ZipSfx.000a folder named %Temp%. Among them, the number will change with the number of files and the number of decompression times. For example, a second extraction will create
7ZipSfx.001a folder named.

image.png-149.1kB folder

The folder contains four files used for the next stage of the attack:

aeFdOLFszTz.dll, copy of ntdll.dll

They had.gif，BAT 脚本

Carne.gif, obfuscated AutoIT script

Raccontero.exe, AutoIT v3 executable interpreter

As shown above, both files disguised as GIF images are malicious scripts. Different versions of CryptBot also use .MP3 and .WMV as extensions.

The BAT malicious script is shown below. The script scans security products (BullGuardCore and Panda Cloud
Antivirus) and, if present, will delay execution to avoid detection.

image.png-207.4kB Malicious script

As shown below, the BAT malicious script decrypts the highly obfuscated AutoIT script Carne.gif. BAT will also copy the AutoIT script to the virtual memory area and run it.

image.png-432.3kB obfuscated script

Raccontero.exeRun using the AutoIT executable interpreter Carne.gif, with the script's filename provided as an argument.

image.png-63.1kB process start

The AutoIT process Raccontero.exe.pifloads the malicious CryptBot into memory.

Function

CryptBot first retrieves user and system information from the machine, and the collected data is stored in the user's %Temp%directory. Once sent to the C&C server, the file is deleted.

Data retrieved includes:

Cryptocurrency wallet

login information

form data

Cookie

Browser history

Credit card information

Sensitive data files

Operating system and hardware information

List of installed programs

image.png-454.9kB Scan cryptocurrency wallets

The victim's data is stored in a compressed TXT file, which is subsequently sent to rygvpi61.top/index.php.

CryptBot also contains backup C&C servers that can download additional malware.

image.png-294.7kB Malicious sample

latest variant

The latest version of CryptBot was discovered in the wild in early 2022. The attackers only retained the core functions related to data leakage, and functions such as anti-sandbox were deleted.

The latest version of CryptBot does not steal victim screenshots or clean up malicious files on its own.

The obfuscation method used by the new version is also different from the old version of CryptBot. The current malicious BAT script uses more complex obfuscation to prevent researchers from analyzing it.

The new version also updates the secrets for the latest version of Chrome v96, covering all versions of Chrome.

in conclusion

So far, CryptBot has only been found to launch attacks targeting Windows devices. It may be related to the delivery method and cracked software, which is not common on MacOS and Linux.

The attackers reduced the size of the malicious samples by half, which simplifies the attack for more frequent and faster infections.

Yaraimport "pe"rule CryptBot {meta:description = "Detects 2022 CryptBot Through Imphash"author = "BlackBerry Threat Research Team"date = "2022-02-26"license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"strings: $page 1 = "7 z SFX " co n d i t i o n : (// PEF i l e u in t 16 (0) == 0 x 5 a 4 d an d // I m p ha s h p e . im p ha s h () == " e 55 d b ec d a f 2 c 7 cc 43 f 3 d 577 e 70 c 6 c 583" or p e . im p ha s h () == "27 f c 501 d e 77 f 5768 c a c 058 a 2 a 9512 c 3 a " or p e . im p ha s h () == " fd a 990324138 b d c 940 f 9020 ce 3 e 8 d 5 f c " or p e . im p ha s h () == "997 e d a f a 1 e 226 ba 6317 ec 804803 f 9 a 57" or p e . im p ha s h () == "4 b 3 c f c 81 e 94566 bb 0 e 35 b 6156 e 51 f b d 5" an d // A llSt r in g s a ll o f ($ s*) )}

IOC53d8d466679a01953aab35947655a8c1a2ff3c19ac188e9f40e3135553cf7556rygvpi61.top/index.phpgewuib08.top/download.php?file=scrods.exe

at last

For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said to be the most scientific and systematic learning route. It will be no problem for everyone to follow this general direction.

At the same time, there are supporting videos for each section corresponding to the growth route:

Of course, in addition to supporting videos, various documents, books, materials & tools have been sorted out for you, and they have been classified into categories for you.

Due to limited space, only part of the information is displayed. Friends who need it can [click the card below] to get it for free: