BHUNT Malware Targets Crypto Wallets
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
BHUNT is a form of malware which distributes itself through downloads of unlicensed software such as operating systems. Once installed, the malware will find any wallet files for software wallets, monitor the clipboards, steal browser data, among various other measures. Wallets targeted include Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin. It's unknown how many wallets have been exploited due to this new malware. There is no indication of any funds being recovered.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12]
https://thehackernews.com/2022/01/new-bhunt-password-stealer-malware.html
https://www.bitdefender.com/blog/labs/poking-holes-in-crypto-wallets-a-short-analysis-of-bhunt-stealer/
About BHUNT
BHUNT is a modular software written in .NET and is often distributed through cracked software installers[13]. BHUNT uses commercial packers to create encrypted binaries[13].
"‘BHUNT’ enters computers through pirated software installs"
"The company indicated the level of infections detected on a map, and the countries with the most infections presented were Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the U.S." "All our telemetry originated from home users"
"The malware works on top of installs of unsecured or cracked software, that already comes packaged with the system to be deployed on desktop environments."
"its presence is heavily encrypted and it is packaged as digitally signed software," "signed the malware executable with a digital signature stolen from Piriform, the makers of CCleaner." What makes this malware special is that it is heavily encrypted and it is packaged as digitally signed software, meaning that your computer won’t detect it as a form of malware.
"BHUNT is injected into explorer.exe and is likely delivered to the compromised system via KMSpico downloads, a popular utility for illegally activating Microsoft products." "KMS (Key Management Services) is a Microsoft license activation system that software pirates frequently abuse to activate Windows and Office products."
The Reality
The malware searches for various crypto wallets and if found, encodes and uploads them to its command-and-control server[13]. It also performs a similar process for sensitive browser and clipboard information[13]. The malware campaign has infected systems worldwide, primarily targeting home users who are more likely to have cryptocurrency wallet software or cracked software installed[13].
A new cryptocurrency wallet stealer named BHUNT has been discovered in the wild, capable of stealing crypto wallets as well as passwords stored in browsers and the clipboard[13]. Once executed, it drops encrypted interim binaries that launch the main component of the stealer[13].
"Password stealers are not new to the PC sector, as computers can already be infected by various viruses that also have these capabilities. What is special about this software is that its presence is heavily encrypted and it is packaged as digitally signed software, but the issued certificate does not match with the binary of the program."
"Bitdefender, a cybersecurity and antivirus company, has detected BHUNT, a new kind of malware that targets cryptocurrency wallets via software installs. Once installed, the software extracts passphrases and seeds from popular wallets." "According to Bitdefender, a cyber security firm, a crypto-wallet stealing malware dubbed ‘BHUNT’ enters computers through pirated software installs, and attacks Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin wallets."
"A new infostealer called BHUNT avoids detection with heavy encryption, being packed, and being signed with a stolen digital signature, and is stealing cryptocurrency wallet contents, passwords, and security phrases."
"The threat actors signed the malware executable with a digital signature stolen from Piriform, the makers of CCleaner. However, as the malware developers copied it from an unrelated executable, it's marked as invalid due to a binary mismatch.'
"Bitdefender researchers are constantly monitoring crypto wallet stealers. This is how we spotted a dropper with a hidden file that ran from the \Windows\System32\ folder. The dropper always wrote the same file, mscrlib.exe to the disk. Our analysis determined t a new cryptocurrency stealer, but its execution flow seems different from what we’re used to seeing in the wild. We named the stealer BHUNT after the main assembly's name. BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard."
"The main component of BHUNT is 'mscrlib.exe,' which extracts further modules that are launched on an infected system to perform different malicious behavior."
"BHUNT stealer exfiltrates information about cryptocurrency wallets and passwords, hoping for financial gain. Its code is straightforward and the delivery method is similar to that of existing successful malware, like Redline stealer."
“All our telemetry originated from home users who are more likely to have cryptocurrency wallet software installed on their systems. This target group is also more likely to install cracks for operating system software, which we suspect is the main infection source,” the company said in its report.
"To evade detection and triggering security warnings, BHUNT is packed and heavily encrypted using Themida and VMProtect, two virtual machine packers that hinder reverse-engineering and analysis by researchers."
"While the malware primarily focuses on stealing information related to cryptocurrency wallets, it can also harvest passwords and cookies stored in browser caches," - explains Bitdefender's report.
"This might include account passwords for social media, banking, etc. that might even result in an online identity takeover."
"Once the threat actor gains access to the wallet's seed or configuration file, they can use it to import the wallet on their own devices and steal the contained cryptocurrency."
What Happened
Multiple users were tricked into installing the BHunt malware when they downloaded pirated software. This allowed the theft of cryptocurrency stored in any wallet on the system.
| Date | Event | Description |
|---|---|---|
| January 22nd, 2022 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
"Bitdefender researchers are constantly monitoring crypto wallet stealers. This is how we spotted a dropper with a hidden file that ran from the \Windows\System32\ folder. The dropper always wrote the same file, mscrlib.exe to the disk. Our analysis determined t a new cryptocurrency stealer, but its execution flow seems different from what we’re used to seeing in the wild. We named the stealer BHUNT after the main assembly's name. BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard."
"The main component of BHUNT is 'mscrlib.exe,' which extracts further modules that are launched on an infected system to perform different malicious behavior."
"BHUNT stealer exfiltrates information about cryptocurrency wallets and passwords, hoping for financial gain. Its code is straightforward and the delivery method is similar to that of existing successful malware, like Redline stealer."
“All our telemetry originated from home users who are more likely to have cryptocurrency wallet software installed on their systems. This target group is also more likely to install cracks for operating system software, which we suspect is the main infection source,” the company said in its report.
"To evade detection and triggering security warnings, BHUNT is packed and heavily encrypted using Themida and VMProtect, two virtual machine packers that hinder reverse-engineering and analysis by researchers."
"While the malware primarily focuses on stealing information related to cryptocurrency wallets, it can also harvest passwords and cookies stored in browser caches," - explains Bitdefender's report.
"This might include account passwords for social media, banking, etc. that might even result in an online identity takeover."
"Once the threat actor gains access to the wallet's seed or configuration file, they can use it to import the wallet on their own devices and steal the contained cryptocurrency."
Total Amount Lost
The total amount lost is unknown.
Immediate Reactions
TBD
Ultimate Outcome
TBD
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
TBD
Individual Prevention Policies
Users can protect themselves by only downloading software from official sources, especially operating systems. The best protection for cryptocurrency wallets is offline storage such as a hardware wallet. Risks can be reduced further by keeping the majority of funds on a separate wallet from actively used funds. Multi-signature setups can also be employed by more advanced users.
Binary Defense advises users to use licensed software, employ endpoint security solutions, and store cryptocurrency wallet private keys securely to prevent theft[13]. "To avoid being infected by BHUNT, you should simply avoid downloading pirated software, cracks, and illegitimate product activators."
Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Increased user education can help in explaining proper security. Having an industry insurance fund can provide some relief for victims.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
Increased user education can help in explaining proper security. Having an industry insurance fund can provide some relief for victims.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ New BHUNT Malware Targets Cryptocurrency Wallets via Software Installs – Bitcoin News (Jan 24, 2022)
- ↑ BHUNT malware targeting the crypto wallet of Indians - IN NEWS I Drishti IAS - YouTube (Jan 25, 2022)
- ↑ BHUNT Infostealer Targeting Crypto Wallets | Cyber Protection Operation Center News - YouTube (Jan 25, 2022)
- ↑ Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer (Jan 25, 2022)
- ↑ New 'BHUNT' malware steals your cryptocurrencies, most prevalent in India (Jan 25, 2022)
- ↑ New BHUNT malware targets your crypto wallets and passwords (Jan 25, 2022)
- ↑ New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets (Jan 25, 2022)
- ↑ Specialized BHUNT Malware Targets Cryptocurrency Wallets (Jan 25, 2022)
- ↑ https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf (Jan 26, 2022)
- ↑ BHUNT Stealer Targets Crypto Wallets, a New Report Shows (Jan 26, 2022)
- ↑ New BHUNT Stealer targets cryptocurrency walletsSecurity Affairs (Jan 26, 2022)
- ↑ BHUNT password stealer targets crypto wallets through cracked software (Jan 26, 2022)
- ↑ 13.0 13.1 13.2 13.3 13.4 13.5 13.6 13.7 New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets - Binary Defense (Jan 26, 2022)