Security researchers from Ahn Lab report they have observed a new version of CryptBot, which is a malware for Windows systems with Chrome browsers that steals information from its host device. This information typically includes browser credentials and history, cookies, cryptocurrency wallets and credit cards.
The latest version of CryptBot is primarily found on websites offering free downloads of cracked games and other types of software. It has new capabilities, and the authors have also optimized it by removing older functions to make CryptBot leaner and more efficient. Ahn Lab also reports that CryptBot campaigns are evolving rapidly, as threat actors are constantly changing its command and control (C2) servers and dropper sites as well as CryptBot itself.
Threat actors typically distribute CryptBot through websites claiming to offer utilities like software cracks and key generators. While these utilities may do what they claim, they’re also infected with CryptBot.
Actors host these websites on both custom domains and Amazon Web Services (AWS), Amazon’s on-demand cloud-computing platform. They also use search engine optimization (SEO) techniques to improve the Google rankings of their distribution sites. This strategy provides CryptBot with greater visibility, ensuring it receives a steady supply of prospective victims.
Actors are constantly refreshing their CryptBot distribution sites, so there are always new sites to attract visitors. Once visitors reach the site’s landing page, the site redirects them multiple times before sending them to CryptBot’s delivery page. In some cases, the landing page is on a legitimate site with a high search ranking that’s been compromised, usually for the purpose of conducting SEO poisoning attacks. SEO abuse isn’t a new tactic for CryptBot’s operators, as they’ve been delivering CryptBot with fake virtual private network (VPN) sites for years.
The ability to function on all versions of Chrome is one of the biggest improvements in the latest version of CryptBot and probably the fix with the highest priority for its authors. Previous versions could only exfiltrate data for versions of Chrome between 81 and 95 because they only looked for user data in certain file paths. These versions of CryptBot would return an error if the actual file paths were different from the ones specified by the author. Google deployed version 96 of Chrome in November 2021, so CryptBot has been ineffective against most of its intended targets for the past three months. CryptBot now searches for user data in all file paths on the host system, allowing it to exfiltrate data regardless of its location.
The latest version of CryptBot shows that its authors also want to make it lighter, most likely for the purposes of making it harder to detect and easier to maintain. For example, they have removed CryptBot’s anti-sandbox routine, leaving only the CPU core count check as protection against sandboxing on a virtual machine (VM). CryptBot’s authors also removed a redundant C2 connection and exfiltration folder, leaving a single C2 server to steal information from the host device.
Furthermore, CryptBot previously added data to a header before sending it to the C2 server. Authors have changed that method to an application programming interface (API), which is less prone to error. They also modified the user-agent value CryptBot uses when sending data. In addition, authors have hard-coded the C2 URL instead of sending data to two C2 servers. Other changes include the removal of the screenshot function and collection of data from TXT files, both of which incur a high risk of detection.
CryptBot is almost always found on sites offering tools to defeat copyright protection. The best way to protect yourself from it is to simply refrain from downloading these tools. Anti-malware solutions can also provide protection against CryptBot and other types of malware.