Security researchers recently spotted a new modular stealer written in .NET and capable of exfiltrating cryptocurrency wallets, including Atomic, Exodus, Ethereum, Jazz, Bitcoin, and Litecoin wallets. The malicious campaign, targeting Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the U.S., is most likely spread across users worldwide with the help of cracked software installers.
The stealer also can harvest passwords stored in the browser, and passphrases captured directly from the clipboard. Bitdefender researchers who discovered the malware named it BHUNT, after its main assembly’s name. BHUNT is in fact a new family of cryptocurrency wallet stealer malware. Their analysis also revealed that the execution of flow of the BHUNT stealer is different than most such stealers.
What Are Some of BHUNT’s Stealer Specifications?
The malware’s binary files appear to be encrypted with commercial packers, such as Themida and VMProtect. The samples the researchers identified were digitally signed with a digital certificate issued to a software company. It is curious to note that the certificate didn’t match the binaries.
As for the malware’s components, they are specialized in stealing crypto wallet files, such as wallet.dat and seed.seco, clipboard information, and passphrases needed to recover accounts.
It is also noteworthy that the malware utilized encrypted configuration scripts downloaded from public Pastebin pages. Its other components are equipped for the purpose of theft of password, cookies and other sensitive detailed, stored specifically in Google Chrome and Mozilla Firefox browsers, Bitdefender said.
Previously Detected Crypto Wallet Stealers
Panda Stealer and ElectroRAT are other example of malware, specifically designed to target crypto wallets. Panda Stealer was distributed via spam emails mostly in the US, Australia, Japan, and Germany. Trend Micro’s research showed that Panda Stealer utilized fileless techniques to bypass detection mechanisms.
As for ElectroRAT, its malicious operations were quite elaborate in their mechanism, consisting of a marketing campaign, custom applications related to cryptocurrencies, and an entirely new Remote Access Tool (RAT). In terms of its distribution, the attackers behind the operation lured cryptocurrency users into downloading trojanized apps.