2 min read

Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer

Bitdefender

January 19, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer

Ever since the Bitcoin boom, crypto currencies have risen sharply in value year after year. Besides attracting more investment, this gain has also increasingly motivated malicious actors to develop stealer malware specialized in gaining access to cryptocurrency wallets. Once they get to these wallets, they can freely and irreversibly transfer funds to wallets controlled by the attacker. In the past year, security researchers have noticed a surge in such cryptocurrency stealers such as the famous Redline Stealer and WeSteal.

Bitdefender researchers are constantly monitoring crypto wallet stealers. This is how we spotted a dropper with a hidden file that ran from the \Windows\System32\ folder. The dropper always wrote the same file, mscrlib.exe to the disk. Our analysis determined it's a new cryptocurrency stealer, but its execution flow seems different from what we’re used to seeing in the wild. We named the stealer BHUNT after the main assembly's name. BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard.

In this article, we describe how we managed to unpack the executable files used in this campaign. We will present the execution flow of the malware and we analyze each module to determine its capabilities.

Key findings

Bitdefender researchers discovered a new family of crypto-wallet stealer malware, dubbed BHUNT

  • Binary files are heavily encrypted with commercial packers such as Themida and VMProtect
  • The samples identified appear to have been digitally signed with a digital certificate issued to a software company, but the digital certificate does not match the binaries.
  • Malware components are specialized in stealing wallet files (wallet.dat and seed.seco), clipboard information and passphrases used to recover accounts
  • The malware uses encrypted configuration scripts that are downloaded from public Pastebin pages.
  • Other components specialize in the theft of passwords, cookies and other sensitive information stored in Chrome and Firefox browsers

Recommendations

BHUNT stealer exfiltrates information about cryptocurrency wallets and passwords, hoping for financial gain. Its code is straightforward and the delivery method is similar to that of existing successful malware, like Redline stealer.

  • Never install applications from untrusted sources
  • Keep your security solution up to date and never turn it off, especially if it blocks the installation of such software.

Indicators of Compromise

An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be found in the whitepaper below.

Download the full whitepaper

tags


Author



Right now

Top posts

A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Under Siege for Months: the Anatomy of an Industrial Espionage Operation Under Siege for Months: the Anatomy of an Industrial Espionage Operation
Alexandru MAXIMCIUCVictor VRABIE
1 min read
New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike
Filip TRUȚĂRăzvan GOSAAdrian Mihai GOZOB
4 min read
New FluBot and TeaBot Global Malware Campaigns Discovered New FluBot and TeaBot Global Malware Campaigns Discovered
Bitdefender

January 26, 2022

10 min read