QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
JANUARY 2022
GLOBAL
BHUNT
DESCRIPTION OF EVENTS
"Password stealers are not new to the PC sector, as computers can already be infected by various viruses that also have these capabilities. What is special about this software is that its presence is heavily encrypted and it is packaged as digitally signed software, but the issued certificate does not match with the binary of the program."
"Bitdefender, a cybersecurity and antivirus company, has detected BHUNT, a new kind of malware that targets cryptocurrency wallets via software installs. The malware works on top of installs of unsecured or cracked software, that already comes packaged with the system to be deployed on desktop environments. Once installed, the software extracts passphrases and seeds from popular wallets." "According to Bitdefender, a cyber security firm, a crypto-wallet stealing malware dubbed ‘BHUNT’ enters computers through pirated software installs, and attacks Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin wallets."
"A new infostealer called BHUNT avoids detection with heavy encryption, being packed, and being signed with a stolen digital signature, and is stealing cryptocurrency wallet contents, passwords, and security phrases."
"The threat actors signed the malware executable with a digital signature stolen from Piriform, the makers of CCleaner. However, as the malware developers copied it from an unrelated executable, it's marked as invalid due to a binary mismatch.'
"Bitdefender researchers are constantly monitoring crypto wallet stealers. This is how we spotted a dropper with a hidden file that ran from the \Windows\System32\ folder. The dropper always wrote the same file, mscrlib.exe to the disk. Our analysis determined t a new cryptocurrency stealer, but its execution flow seems different from what we’re used to seeing in the wild. We named the stealer BHUNT after the main assembly's name. BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard."
"Bitdefender discovered that BHUNT is injected into explorer.exe and is likely delivered to the compromised system via KMSpico downloads, a popular utility for illegally activating Microsoft products." "KMS (Key Management Services) is a Microsoft license activation system that software pirates frequently abuse to activate Windows and Office products."
"The main component of BHUNT is 'mscrlib.exe,' which extracts further modules that are launched on an infected system to perform different malicious behavior."
"BHUNT stealer exfiltrates information about cryptocurrency wallets and passwords, hoping for financial gain. Its code is straightforward and the delivery method is similar to that of existing successful malware, like Redline stealer."
What makes this malware special is that it is heavily encrypted and it is packaged as digitally signed software, meaning that your computer won’t detect it as a form of malware. “All our telemetry originated from home users who are more likely to have cryptocurrency wallet software installed on their systems. This target group is also more likely to install cracks for operating system software, which we suspect is the main infection source,” the company said in its report.
"To evade detection and triggering security warnings, BHUNT is packed and heavily encrypted using Themida and VMProtect, two virtual machine packers that hinder reverse-engineering and analysis by researchers."
"While the malware primarily focuses on stealing information related to cryptocurrency wallets, it can also harvest passwords and cookies stored in browser caches," - explains Bitdefender's report.
"This might include account passwords for social media, banking, etc. that might even result in an online identity takeover."
"Once the threat actor gains access to the wallet's seed or configuration file, they can use it to import the wallet on their own devices and steal the contained cryptocurrency."
"The company indicated the level of infections detected on a map, and the countries with the most infections presented were Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the U.S."
"To avoid being infected by BHUNT, you should simply avoid downloading pirated software, cracks, and illegitimate product activators." "Prevent app installation from untrusted sources. Never turn off your security software and look out for blocked installations. Keep your security software up-to-date."
BHUNT is a form of malware which distributes itself through downloads of unlicensed software such as operating systems. Once installed, the malware will find any wallet files for software wallets, monitor the clipboards, steal browser data, among various other measures. Wallets targeted include Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin. It's unknown how many wallets have been exploited due to this new malware, however there is no indication of any funds being recovered.
HOW COULD THIS HAVE BEEN PREVENTED?
In the case of BHUNT malware, most sources report that users can protect themselves by only downloading software from official sources, especially avoiding pirated operating systems. The best protection for cryptocurrency wallets is offline storage. Keep the majority of funds on a separate wallet from actively used funds, and never transfer all funds without first testing a new environment with a smaller wallet or transfer first. Multi-signature setups can be employed to add additional protection for more advanced users.
New BHUNT Malware Targets Cryptocurrency Wallets via Software Installs – Bitcoin News (Jan 24)
BHUNT malware targeting the crypto wallet of Indians - IN NEWS I Drishti IAS - YouTube (Jan 25)
BHUNT Infostealer Targeting Crypto Wallets | Cyber Protection Operation Center News - YouTube (Jan 25)
Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer (Jan 25)
New 'BHUNT' malware steals your cryptocurrencies, most prevalent in India (Jan 25)
New BHUNT malware targets your crypto wallets and passwords (Jan 25)
New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets (Jan 25)
Specialized BHUNT Malware Targets Cryptocurrency Wallets (Jan 25)
https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf (Jan 26)
BHUNT Stealer Targets Crypto Wallets, a New Report Shows (Jan 26)
New BHUNT Stealer targets cryptocurrency walletsSecurity Affairs (Jan 26)
BHUNT password stealer targets crypto wallets through cracked software (Jan 26)
New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets - Binary Defense (Jan 26)
