Ever since the Bitcoin boom, crypto currencies have risen sharply in value year after year. Besides attracting more investment, this gain has also increasingly motivated malicious actors to develop stealer malware specialized in gaining access to cryptocurrency wallets. Once they get to these wallets, they can freely and irreversibly transfer funds to wallets controlled by the attacker. In the past year, security researchers have noticed a surge in such cryptocurrency stealers such as the famous Redline Stealer and WeSteal.
Bitdefender researchers are constantly monitoring crypto wallet stealers. This is how we spotted a dropper with a hidden file that ran from the \Windows\System32\ folder. The dropper always wrote the same file, mscrlib.exet to the disk. Our analysis determined t a new cryptocurrency stealer, but its execution flow seems different from what we’re used to seeing in the wild. We named the stealer BHUNT after the main assembly’s name. BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard.
In this article, we describe how we managed to unpack the executable files used in this campaign. We will present the execution flow of the malware and we analyze each module to determine its capabilities.
Bitdefender researchers discovered a new family of crypto-wallet stealer malware, dubbed BHUNT
- Binary files are heavily encrypted with commercial packers such as Themida and VMProtect
- The samples identified appear to have been digitally signed with a digital certificate issued to a software company, but the digital certificate does not match the binaries.
- Malware components are specialized in stealing wallet files (wallet.dat and seed.seco), clipboard information and passphrases used to recover accounts
- The malware uses encrypted configuration scripts that are downloaded from public Pastebin pages.
- Other components specialize in the theft of passwords, cookies and other sensitive information stored in Chrome and Firefox browsers
BHUNT stealer exfiltrates information about cryptocurrency wallets and passwords, hoping for financial gain. Its code is straightforward and the delivery method is similar to that of existing successful malware, like Redline stealer.
- Never install applications from untrusted sources
- Keep your security solution up to date and never turn it off, especially if it blocks the installation of such software.
Indicators of Compromise
An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be found in the whitepaper below.