CryptBotβs latest version is distributed via deceptive crack/tool pages with redirect-heavy delivery, increasing infection risk. The update consolidates C2 communications, removes several infostealing features, and expands Chrome data theft to support newer browser versions. #CryptBot #AhnLab #DriveByCompromise #SandboxEvasion #DataFromLocalSystem #ScreenCapture #CredentialsInWebBrowsers
Keypoints
- CryptBot is distributed through pages that appear at the top of search results and disguise themselves as cracks/tools sharing sites, raising infection risk.
- Distribution pages are redesigned frequently, with new pages created to host the malware.
- The latest CryptBot version removes the anti-sandbox routine, while the anti-VM check remains largely unchanged.
- In the modified version, infostealing data is sent to a single C2 instead of two C2s, and the two-C2 pattern for downloading additional malware is eliminated.
- The method of sending stolen data was changed to using a simple API with one hard-coded C2 URL.
- Infostealing features like collecting TXT files and screenshots were reduced/eliminated, and self-deletion on detection or after completion was removed from the new version.
- Chrome data theft was updated to support newer Chrome versions by incorporating updated Chrome path names; the malware can steal data even if not limited to older Chrome versions.
MITRE Techniques
- [T1189] Drive-by Compromise β Attackers rely on compromised/disguised pages that lure users to download malware via redirected links. Quote: βWhen the user clicks the download button in a post disguised as a cracks and tools sharing website β¦ the user is redirected multiple times, ultimately redirected to the distribution page.β
- [T1497] Virtualization/Sandbox Evasion β The malware includes anti-sandbox checks (removed in the new variant) and anti-VM routines. Quote: βThe anti-sandbox routine, which terminates without malicious behavior in the case of βXeonβ environment after checking the CPU name set as the infection target, was removed.β
- [T1113] Screen Capture β Infostealing previously included screenshots of the screen. Quote: βThe infostealing features of collecting TXT files on the desktop and screenshots of the screen were also deleted.β
- [T1005] Data from Local System β The malware collected local data (TXT files) as part of its infostealing. Quote: βThe infostealing features of collecting TXT files on the desktop and screenshots of the screen were also deleted.β
- [T1555.003] Credentials in Web Browsers β Chrome browser data theft updated to support newer Chrome versions. Quote: βThe previous version used the pathname of the old version of Chrome when stealing Chrome browser information, so it could not steal information from Chrome v96 released in November 2021 and its later versions. The recently modified sample includes all the newest Chrome path names.β
- [T1041] Exfiltration Over C2 Channel β Data is exfiltrated to C2 servers (single C2 in the modified version). Quote: βthe behavior saves the stolen information to two different folders and sends each folder to different C2β and βin the changed version, one C2 URL is hard-coded in the function.β
- [T1070.004] File Deletion β Self-deletion was used to cover tracks; the updated version removes self-deletion functionality after completion or detection. Quote: βThe self-deletion that was performed when it was detected by an anti-VM routine or when it completed all malicious behavior and was terminated was also deleted.β
Indicators of Compromise
- [File Hash] MD5-like hashes β 28e1397f9233badf815e22ef2e13634f, 33e6e82f629715ce89424c41a847e889, and many more hashes
- [Domain] C2 domains β rygqwf41.top/index.php, rygedj410.top/index.php, and other related domains
- [URL] Download URLs β gewfih05.top/download.php?file=fusate.exe, gewfec07.top/download.php?file=insane.exe
Read more: https://asec.ahnlab.com/en/31802/