BHUNT Crypto-wallet Stealer Likely Deployed from Cracks, Bitdefender Finds

Bitdefender Family Pack

Bitdefender’s security researchers have identified a new family of crypto-wallet stealer malware, which they dubbed BHUNT, after the name of the main assembly.

Crypto-wallet stealers are part of a trend that shows no sign of slowing down. As cryptocurrencies become more mainstream and as the number of potential victims increases each day, new malware designed to target this new “market” is bound to appear.

Just in the past year, Redline Stealer and WeStealt have proven just how dangerous this type of malware really is and how much of a problem it will be in the future. It’s no surprise that a new malware family appeared and that criminals designed it to go after some of the most-used cryptocurrencies today, including Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin and Litecoin.

Bitdefender security researchers spotted the initial dropping process in the telemetry for ‘msh.exe’ and ‘msn.exe.’ The dropper itself was launched from ‘explorer.exe.’

“Most infected users also had some form of a Windows crack (KMS) on their systems. We could not capture any installer for those cracks, but we suspect they delivered the dropper for the cryptocurrency stealer,” said the researchers in a whitepaper on BHUNT. This technique is very similar to how the Redline stealer delivers its payloads through fake cracked software installers.

While this is a crypto-wallet stealer, the malware components can perform other actions, like gathering clipboard information and passphrases used to recover accounts, stealing passwords, cookies and additional sensitive data stored in Chrome and Firefox browsers.

The malware is sufficiently advanced to download encrypted configuration scripts from public Pastebin pages, letting the attackers augment the stealer as they see fit.

“BHUNT has no specific target country or organization; however, almost all of our telemetry originated from home users who are more likely to have cryptocurrency wallet software installed on their systems,”  Bitdefender explained.  “This target group is also more likely to install cracks for operating system software, which we suspect is the main infection source.”

The only two methods to fully protect against this threat are to never install software from unknown sources and to keep security solutions up to date and active.

Check out the complete whitepaper for more details on the malware, including indicators of compromise.

Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer