CryptBot within KMSPico Trojan

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 15:33, 7 May 2023 by Azoundria (talk | contribs)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

CryptBot

The CryptBot is malware which can commonly be downloaded when pirating software, such as Windows license circumvention. Once downloaded, the software will report information from multiple programs including common cryptocurrency wallets. While multiple victims have lost funds, it's unclear and nearly impossible to determine how much was lost. No funds appear to be recovered.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20]

About CryptBot

CryptBot is a "typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2." "Cryptbot combines complex evasion techniques and a rather simple social-engineering based distribution strategy to produce an interesting method of attack that manages to stay relatively hidden in the current malware landscape."

"Cryptbot, an infostealer that takes victims’ cryptocurrency wallet and account credentials, was the most prolific malware family in the group, raking in almost half a million dollars in pilfered Bitcoin. Another prolific family is QuilClipper, a clipboard stealer or “clipper,” ranked eighth on the graph above. Clippers can be used to insert new text into the “clipboard” that holds text a user has copied, usually with the intent to paste elsewhere. Clippers typically use this functionality to detect when a user has copied a cryptocurrency address to which they intend to send funds — the clipper malware effectively hijacks the transaction by then substituting an address controlled by the hacker for the one copied by the user, thereby tricking the user into sending cryptocurrency to the hacker."

"Cryptbot is capable of collecting sensitive information from Atomic cryptocurrency wallet, Avast Secure web browser, Brave browser, Ledger Live cryptocurrency wallet, Opera Web Browser, Waves Client and Exchange cryptocurrency applications, Coinomi cryptocurrency wallet, Google Chrome web browser, Jaxx Liberty cryptocurrency wallet, Electron Cash cryptocurrency wallet, Electrum cryptocurrency wallet, Exodus cryptocurrency wallet, Monero cryptocurrency wallet, MultiBitHD cryptocurrency wallet, Mozilla Firefox web browser, CCleaner web browser, and Vivaldi web browser."

"CryptBot is an Infostealer that is being distributed through malicious websites disguised as software download pages. Because there are multiple malicious websites created and many of them appear on the top page when keywords such as cracks and serials of popular commercial software are entered in search engines, many users are subject to download the malware and run it. In addition, the sample uses the SFX packing, making difficult to distinguish between normal and malicious files, and changes occur multiple times a day."

"In this latest campaign, Cryptbot is delivered as a Trojan malware. Consistent with the ancient trojan horse, the info-stealer hides within legitimate software in order to be installed by its victims. Over its year of activity, it has been disguised as an installer of a free VPN application and as an installer of legitimate commercial software. Delivered either by itself or bundled with other malicious applications. For example, users looking for cracked versions of PhantomPDF editor, Adobe Illustrator or Malwarebytes AV have found themselves installing the info-stealer instead of their preferred programs. The sample we’ve encountered claimed to be an installer for the Glary Utilities suite that consists of several utilities for Windows optimization and cleanup."

"KMSPico is a tool used to activate the full features of Microsoft Windows and Office products without actually owning a license key. It takes advantage of Windows Key Management Services (KMS), a legitimate technology introduced to license Microsoft products in bulk across enterprise networks. Under normal circumstances, enterprises using legitimate KMS licensing install a KMS server in a central location and use Group Policy Objects (GPO) to configure clients to communicate with it. KMSPico, on the other hand, emulates a KMS server locally on the affected system to fraudulently activate the endpoint’s license."

"Since the KMSPico installer leverages Windows Key Management Services (KMS)—a legitimate technology used for bulk licensing across enterprise networks—some IT departments that actually had legitimate licenses reportedly used the illicit tool to activate their systems, inadvertently corrupting their systems with Cryptbot."

"Even when KMSPico isn’t tainted with malware, it’s not legitimate software either. In the best cases when someone gets the real installer, it’s only used for license circumvention. Since multiple antimalware vendors detect license circumvention software as a potentially unwanted program (PUP), KMSPico is often distributed with disclaimers and instructions to disable antimalware products before installing. Alongside the difficulty in finding a clean download, the disabling instructions prepare unwitting victims to receive malware."

In another attack, a "cyberthreat actor created a web site that promotes a fake VPN program that installs the Vidar and CryptBot password-stealing trojans." "When the trojans are downloaded, they will be executed and being to collect various information from the computer that will be uploaded to the attacker. This information includes saved browser credentials, cookies, screenshot of the desktop, text files, cryptocurrency wallets, and much more."

"While many may debate the morality of using pirated software, from a security perspective, the jury is out, it’s not worth the risk. Most pirated software available with their installers, keygens and cracks are binary files that are veritable “black boxes” for the majority of users. Thus, when installing pirated software, we never know what hides behind the executable. It may be a “harmless” crack or keygen that will manipulate a software to believe it is genuine, but on the contrary, it may also be an info-stealer, a browser hijacker or even a ransomware that may harm our digital lives and cause us to lose our digital data."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - CryptBot within KMSPico Trojan
Date Event Description
December 2nd, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The majority of CryptBot installations happen due to downloading pirated software, and it's commonly detected by most anti-malware software. For the highest security, always store funds offline when not in use, and test any new wallet or environment with a small amount of funds prior to any large transfer or wallet setup.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Fake KPSPico Windows activator tool KPSPico steals crypto wallet data (Jan 26, 2022)
  2. Meet the Malware Families Helping Hackers Steal and Mine Millions in Cryptocurrency - Chainalysis (Jan 29, 2022)
  3. CryptBot (Malware Family) (Jan 30, 2022)
  4. 40,000 CryptBot Downloads per Day | G DATA (Jan 30, 2022)
  5. Fake VPN Site Pushes CryptBot and Vidar Info-Stealing Trojans (Jan 30, 2022)
  6. KMSPico and Cryptbot: A spicy combo - Red Canary (Jan 30, 2022)
  7. https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf (Jan 30, 2022)
  8. Cryptbot: How Free becomes a High Price to Pay (Jan 30, 2022)
  9. CryptBot Trojan - Malware removal instructions (updated) (Jan 30, 2022)
  10. Hackers Are Disguising Cryptbot Malware as a Windows Activator | Tom's Hardware (Jan 30, 2022)
  11. MalwareBazaar | Browse malware samples (Jan 30, 2022)
  12. Spyware.CryptBot — How To Fix Guide (Jan 30, 2022)
  13. Data Stealing Cryptbot Malware Sneaks Onto Machines As Fake Windows Activator Tool | HotHardware (Jan 30, 2022)
  14. Windows Software Pirates Are Losing Their Bitcoin to Cryptbot Malware - Decrypt (Jan 30, 2022)
  15. @redcanary Twitter (Jan 30, 2022)
  16. Cryptbot Stealer Removal Report (Jan 30, 2022)
  17. Cyber threat alert: Pay for Windows or face the wrath of Cryptbot malware | Windows Central (Jan 30, 2022)
  18. Hackers hide Cryptbot malware in a popular utility - D1SoftballNews.com (Jan 30, 2022)
  19. CryptBot Infostealer Constantly Changing and Being Distributed - Malware Analysis - Malware Analysis, News and Indicators (Jan 30, 2022)
  20. https://cryptbot.net/security-png-transparent-picture/ (Jan 30, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=CryptBot_within_KMSPico_Trojan&oldid=4322"