Another information stealer is being distributed with the help of pirated software websites. CryptBot, a well-known infostealer, has been “seen” on numerous sites that offer free downloads for cracked games and pro-grade software.
CryptBot: A Constantly Evolving Infostealer
Cryptbot has been described as “a typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system.” Stolen details are bundled into zip-files and uploaded to the command-and-control server.
As pointed out by Asec researchers, CryptBot is constantly evolving, with distribution pages constantly being newly-created. In terms of how the attack is carried out, once the user clicks on a download button on one of the attackers’ sites, the user is taken through multiple redirects, with a final redirect to the malware distribution page. It should be noted that new types of these redirections are constantly being created.
According to Asec’s report, “not only are the distribution pages changing, but the CryptBot itself is also actively changing, and a new version with a large-scale modification is recently being distributed.” The malware authors removed some of CryptBot’s additional features for simplification, and the infostealing code was altered to adapt to the new browser environment.
The anti-sandbox feature has been deleted, as well as the infostealing features of collecting TXT files on the desktop. “The behavior of self-deletion that was performed when it was detected by an anti-VM routine or when it completed all malicious behavior and was terminated was also deleted,” the report noted.
With all these additional features being gone, new ones were added, such as adding all the newest Chrome browser path names.
“The previous version of CryptBot code was structured in a way that if at least one piece of data did not exist out of the list of target data for stealing, the infostealing behavior would fail. So, infostealing was successful only when the infected system used Chrome browser v81 – v95. The recently improved code can steal if the target data exists regardless of the version,” the researchers said.
This is not the first malicious campaign that uses fake cracked installers to deliver malware. Last year, Sophos researchers performed a thorough investigation on a network of websites related to a Racoon infostealer campaign, acting as a “dropper as a service.” This network distributed a variety of malware packages, “often bundling unrelated malware together in a single dropper,” including clickfraud bots, other infostealers, and ransomware.