BHUNT Malware Targets Crypto Wallets
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
BHUNT is a form of malware which distributes itself through downloads of unlicensed software such as operating systems. Once installed, the malware will find any wallet files for software wallets, monitor the clipboards, steal browser data, among various other measures. Wallets targeted include Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin. It's unknown how many wallets have been exploited due to this new malware, however there is no indication of any funds being recovered.
This is a global/international case not involving a specific country.
About BHUNT
"Password stealers are not new to the PC sector, as computers can already be infected by various viruses that also have these capabilities. What is special about this software is that its presence is heavily encrypted and it is packaged as digitally signed software, but the issued certificate does not match with the binary of the program."
"Bitdefender, a cybersecurity and antivirus company, has detected BHUNT, a new kind of malware that targets cryptocurrency wallets via software installs. The malware works on top of installs of unsecured or cracked software, that already comes packaged with the system to be deployed on desktop environments. Once installed, the software extracts passphrases and seeds from popular wallets." "According to Bitdefender, a cyber security firm, a crypto-wallet stealing malware dubbed ‘BHUNT’ enters computers through pirated software installs, and attacks Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin wallets."
"A new infostealer called BHUNT avoids detection with heavy encryption, being packed, and being signed with a stolen digital signature, and is stealing cryptocurrency wallet contents, passwords, and security phrases."
"The threat actors signed the malware executable with a digital signature stolen from Piriform, the makers of CCleaner. However, as the malware developers copied it from an unrelated executable, it's marked as invalid due to a binary mismatch.'
"Bitdefender researchers are constantly monitoring crypto wallet stealers. This is how we spotted a dropper with a hidden file that ran from the \Windows\System32\ folder. The dropper always wrote the same file, mscrlib.exe to the disk. Our analysis determined t a new cryptocurrency stealer, but its execution flow seems different from what we’re used to seeing in the wild. We named the stealer BHUNT after the main assembly's name. BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard."
"Bitdefender discovered that BHUNT is injected into explorer.exe and is likely delivered to the compromised system via KMSpico downloads, a popular utility for illegally activating Microsoft products." "KMS (Key Management Services) is a Microsoft license activation system that software pirates frequently abuse to activate Windows and Office products."
"The main component of BHUNT is 'mscrlib.exe,' which extracts further modules that are launched on an infected system to perform different malicious behavior."
"BHUNT stealer exfiltrates information about cryptocurrency wallets and passwords, hoping for financial gain. Its code is straightforward and the delivery method is similar to that of existing successful malware, like Redline stealer."
What makes this malware special is that it is heavily encrypted and it is packaged as digitally signed software, meaning that your computer won’t detect it as a form of malware. “All our telemetry originated from home users who are more likely to have cryptocurrency wallet software installed on their systems. This target group is also more likely to install cracks for operating system software, which we suspect is the main infection source,” the company said in its report.
"To evade detection and triggering security warnings, BHUNT is packed and heavily encrypted using Themida and VMProtect, two virtual machine packers that hinder reverse-engineering and analysis by researchers."
"While the malware primarily focuses on stealing information related to cryptocurrency wallets, it can also harvest passwords and cookies stored in browser caches," - explains Bitdefender's report.
"This might include account passwords for social media, banking, etc. that might even result in an online identity takeover."
"Once the threat actor gains access to the wallet's seed or configuration file, they can use it to import the wallet on their own devices and steal the contained cryptocurrency."
"The company indicated the level of infections detected on a map, and the countries with the most infections presented were Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the U.S."
"To avoid being infected by BHUNT, you should simply avoid downloading pirated software, cracks, and illegitimate product activators." "Prevent app installation from untrusted sources. Never turn off your security software and look out for blocked installations. Keep your security software up-to-date."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| January 22nd, 2022 12:00:00 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
In the case of BHUNT malware, most sources report that users can protect themselves by only downloading software from official sources, especially avoiding pirated operating systems. The best protection for cryptocurrency wallets is offline storage. Keep the majority of funds on a separate wallet from actively used funds, and never transfer all funds without first testing a new environment with a smaller wallet or transfer first. Multi-signature setups can be employed to add additional protection for more advanced users.
References
New BHUNT Malware Targets Cryptocurrency Wallets via Software Installs – Bitcoin News (Jan 24)
BHUNT malware targeting the crypto wallet of Indians - IN NEWS I Drishti IAS - YouTube (Jan 25)
BHUNT Infostealer Targeting Crypto Wallets | Cyber Protection Operation Center News - YouTube (Jan 25)
Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer (Jan 25)
New 'BHUNT' malware steals your cryptocurrencies, most prevalent in India (Jan 25)
New BHUNT malware targets your crypto wallets and passwords (Jan 25)
New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets (Jan 25)
Specialized BHUNT Malware Targets Cryptocurrency Wallets (Jan 25)
BHUNT Stealer Targets Crypto Wallets, a New Report Shows (Jan 26)
New BHUNT Stealer targets cryptocurrency walletsSecurity Affairs (Jan 26)
BHUNT password stealer targets crypto wallets through cracked software (Jan 26)
New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets - Binary Defense (Jan 26)