Threat Research

Threat Thursday: CryptBot Infostealer Masquerades as Cracked Software

Securonix

CryptBot resurfaces as a streamlined infostealer distributed through compromised pirate sites offering cracked software and games. The latest variant trims its capabilities to focus on data exfiltration, using obfuscated scripts and a multi-stage delivery chain to evade detection. #CryptBot #7ZipSfx #AutoIT #BullGuardCore #PandaCloudAV #Chrome96

Keypoints

  • CryptBot is distributed via compromised webpages offering cracked software, leveraging SEO and compromised sites to reach victims.
  • The infection chain begins with an SFX archive masquerading as legitimate software (e.g., Adobe Photoshop) downloaded from a rogue page.
  • The dropper places a folder in the victim’s Temp directory (e.g., 7ZipSfx.000) containing multiple components used to execute the payload.
  • Files include a mix of legitimate-looking and obfuscated components (e.g., Avevano.gif BAT script, Carne.gif AutoIT script, Raccontero.exe AutoIT compiler).
  • The latest CryptBot variants remove anti-sandbox, desktop screenshot, and self-deletion features, concentrating on data exfiltration.
  • CryptBot harvests browser data, passwords, wallet details, cookies, history, credit card data, and OS/hardware info, then exfiltrates to a hardcoded C2 and wipes the sent data locally.
  • Key IOCs include the C2 domains and the specific dropper/loader filenames, with a YARA rule published to detect this threat family.

MITRE Techniques

  • [T1189] Drive-by Compromise – The attack chain begins when a victim visits a compromised webpage and is lured into downloading an SFX file masquerading as legitimate software. “The attack chain for CryptBot begins when the victim visits a compromised webpage and is lured into downloading an SFX file, such as the one pictured in Figure 1, which is masquerading as the latest version of Adobe Photoshop.”
  • [T1027] Obfuscated/Compressed Files and Information – The BAT script decrypts the heavily obfuscated AutoIT script “Carne.gif” and copies it to memory for execution. “The BAT script is used to decrypt the heavily obfuscated AutoIT script, “Carne.gif,” as seen in Figure 5. The BAT also copies the AutoIT script to the virtual memory area to run it.”
  • [T1059.003] Windows Command Shell – The campaign uses BAT scripts to orchestrate the load and execution of components (e.g., “Raccontero.exe” and “Carne.gif”). “The BAT script is used to decrypt the heavily obfuscated AutoIT script… and copies the AutoIT script to the virtual memory area to run it.”
  • [T1562.001] Impair Defenses – The malware includes a sleep function to delay execution when antivirus products are present to aid in bypassing detection. “If the AV products are present, the malware will perform a “sleep” function to delay execution and aid in bypassing detection.”
  • [T1082] System Information Discovery – CryptBot searches for OS and hardware information and other sensitive data to steal. “The data that CryptBot searches for includes… OS and hardware information”
  • [T1555.003] Credentials in Web Browsers – It collects browser form data, cookies, login credentials, and related browser data. “Form data saved to the browser… Cookies… Browser history”
  • [T1041] Exfiltration – Exfiltrates collected data to a C2 server and then deletes local copies. “The stolen data is exfiltrated back to the attacker and the folder containing the sent information is wiped from the victim’s machine.”
  • [T1071.001] Web Protocols – C2 communications occur over HTTP(S) to domains such as the sample C2 address. “The victim’s data is stored in a zipped TXT file within the %Temp% directory. The malware then reaches out to the C2 server, which in the case of this sample, is located at ‘rygvpi61[.]top/index.php’.”
  • [T1105] Ingress Tool Transfer – The malware contains a second hardcoded C2 used for downloading additional malware. “CryptBot contains a second hardcoded C2 that can be used for downloading additional malware.”
  • [T1071.001] Web Protocols – Additional note on C2 and updates via HTTP(S) endpoints. “This address can be seen in Figure 8… and targeted directories”
  • [T1562.001] Impair Defenses – The latest variant shows reduced anti-analysis features compared with earlier versions (simplified) and obfuscation improvements. “The obfuscation methods used in this version also differ from older variants…”

Indicators of Compromise

  • [Hash] – 53d8d466679a01953aab35947655a8c1a2ff3c19ac188e9f40e3135553cf7556
  • [Filename] – 7ZipSfx.000 – Initial folder dropped into Temp directory, aeFdOLFszTz.dll – A legitimate copy of Microsoft Windows “ntdll.dll”, Avevano.gif – BAT Script, Carne.gif – Obfuscated AutoIT Script, Raccontero.exe – AutoIT Executable Compiler
  • [C2] – rygvpi61[top]/index.php – Exfiltration address, gewuib08[top]/download.php?file=scrods.exe – Download address

Read more: https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer