CryptBot was first discovered in 2019 and has exploded again recently. The latest version of CryptBot has been significantly simplified and only contains information stealing functions. The sample size is much smaller than before.
CryptBot targets sensitive user data such as browser login information, cryptocurrency wallets, stored credit card information, passwords, and more. The collected information will be sent back to the C&C
server and sold for financial gain.
Crack software website
CryptBot
has recently been distributed through cracked software websites, which provide cracked versions of common games and other software. Attackers bundle and spread malware in this way, allowing victims to unknowingly download and execute malicious samples.
technical analysis
CryptBot's attack chain begins when the victim visits a compromised page to download an SFX file, such as one disguised as the latest version of Adobe Photoshop.
Web page example
Subsequently, 7ZSfxMod_x86.exe
download the SFX file named to your machine.
Malicious files
After unzipping, 7ZipSfx.000
a folder named %Temp%
. Among them, the number will change with the number of files and the number of decompression times. For example, a second extraction will create
7ZipSfx.001
a folder named.
folder
The folder contains four files used for the next stage of the attack:
aeFdOLFszTz.dll, copy of ntdll.dll
They had.gif,BAT 脚本
Carne.gif, obfuscated AutoIT script
Raccontero.exe, AutoIT v3 executable interpreter
As shown above, both files disguised as GIF images are malicious scripts. Different versions of CryptBot also use .MP3 and .WMV as extensions.
The BAT malicious script is shown below. The script scans security products (BullGuardCore and Panda Cloud
Antivirus) and, if present, will delay execution to avoid detection.
Malicious script
As shown below, the BAT malicious script decrypts the highly obfuscated AutoIT script Carne.gif
. BAT will also copy the AutoIT script to the virtual memory area and run it.
obfuscated script
Raccontero.exe
Run using the AutoIT executable interpreter Carne.gif
, with the script's filename provided as an argument.
process start
The AutoIT process Raccontero.exe.pif
loads the malicious CryptBot into memory.
Function
CryptBot first retrieves user and system information from the machine, and the collected data is stored in the user's %Temp%
directory. Once sent to the C&C server, the file is deleted.
Data retrieved includes:
Cryptocurrency wallet
login information
form data
Cookie
Browser history
Credit card information
Sensitive data files
Operating system and hardware information
List of installed programs
Scan cryptocurrency wallets
The victim's data is stored in a compressed TXT file, which is subsequently sent to rygvpi61.top/index.php
.
CryptBot also contains backup C&C servers that can download additional malware.
Malicious sample
latest variant
The latest version of CryptBot was discovered in the wild in early 2022. The attackers only retained the core functions related to data leakage, and functions such as anti-sandbox were deleted.
The latest version of CryptBot does not steal victim screenshots or clean up malicious files on its own.
The obfuscation method used by the new version is also different from the old version of CryptBot. The current malicious BAT script uses more complex obfuscation to prevent researchers from analyzing it.
The new version also updates the secrets for the latest version of Chrome v96, covering all versions of Chrome.
in conclusion
So far, CryptBot has only been found to launch attacks targeting Windows devices. It may be related to the delivery method and cracked software, which is not common on MacOS and Linux.
The attackers reduced the size of the malicious samples by half, which simplifies the attack for more frequent and faster infections.
Yaraimport "pe"rule CryptBot {meta:description = "Detects 2022 CryptBot Through Imphash"author = "BlackBerry Threat Research Team"date = "2022-02-26"license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"strings: s 1 = " 7 z S F X " c o n d i t i o n : ( / / P E F i l e u i n t 16 ( 0 ) = = 0 x 5 a 4 d a n d / / I m p h a s h p e . i m p h a s h ( ) = = " e 55 d b e c d a f 2 c 7 c c 43 f 3 d 577 e 70 c 6 c 583 " o r p e . i m p h a s h ( ) = = " 27 f c 501 d e 77 f 5768 c a c 058 a 2 a 9512 c 3 a " o r p e . i m p h a s h ( ) = = " f d a 990324138 b d c 940 f 9020 c e 3 e 8 d 5 f c " o r p e . i m p h a s h ( ) = = " 997 e d a f a 1 e 226 b a 6317 e c 804803 f 9 a 57 " o r p e . i m p h a s h ( ) = = " 4 b 3 c f c 81 e 94566 b b 0 e 35 b 6156 e 51 f b d 5 " a n d / / A l l S t r i n g s a l l o f ( s1 = "7z SFX"condition:(//PE Fileuint16(0) == 0x5a4d and//Imphashpe.imphash() == "e55dbecdaf2c7cc43f3d577e70c6c583" orpe.imphash() == "27fc501de77f5768cac058a2a9512c3a" orpe.imphash() == "fda990324138bdc940f9020ce3e8d5fc" orpe.imphash() == "997edafa1e226ba6317ec804803f9a57" orpe.imphash() == "4b3cfc81e94566bb0e35b6156e51fbd5" and//All Stringsall of ( page 1="7zSFX"condition:(//PEFileuint16(0)==0x5a4dand//Imphashpe.imphash()=="e55dbecdaf2c7cc43f3d577e70c6c583"orpe.imphash()=="27fc501de77f5768cac058a2a9512c3a"orpe.imphash()=="fda990324138bdc940f9020ce3e8d5fc"orpe.imphash()=="997edafa1e226ba6317ec804803f9a57"orpe.imphash()=="4b3cfc81e94566bb0e35b6156e51fbd5"and//AllStringsallof(s*) )}
IOC53d8d466679a01953aab35947655a8c1a2ff3c19ac188e9f40e3135553cf7556rygvpi61.top/index.phpgewuib08.top/download.php?file=scrods.exe
at last
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said to be the most scientific and systematic learning route. It will be no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Of course, in addition to supporting videos, various documents, books, materials & tools have been sorted out for you, and they have been classified into categories for you.
Due to limited space, only part of the information is displayed. Friends who need it can [click the card below] to get it for free: