[MART] - Daily Diary #435 - Meet BHUNT, a New Crypto/Password Stealer
CTAS-MAT
ctas-mat at appgate.com
Thu Jan 20 19:33:23 UTC 2022
Hello,
I hope everyone is doing well!
Below is the entry for today.
20/01/2021 - Diary entry #435
Researchers disclosed new malware this week, dubbed BHUNT and written in .NET.. BHUNT campaigns were spotted in several countries around the globe, including Australia, Egypt, Germany, Japan, India and the US.
BHUNT payloads are distributed along with cracking tools, like KMSPico (used to crack Microsoft products). Those payloads are also heavily obfuscated, using Themida and VMProtect packers to make detection and analysis very hard. The binary is also invalidly signed using a Piriform (CCleaner) certificate, probably copied from other binary.
Similar to most botnets, BHUNT is modular. It receives modules from the C&C server to steal cryptowallets, browser-stored passwords, clipboard content, and more. The main focus of this threat seems to be stealing cryptocurrencies from cryptowallets, currently targeting 3 very common currencies: Bitcoin, Litecoin, and Ethereum, but also some very unusual currencies: Exodus, Electrum, Atomic, Jaxx. Among the modules, we can also find one created to clean the malware traces from the machine, that can be executed after a successful attack.
Kind Regards,
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>
Felipe Duarte Domingues
Security Researcher
Appgate
E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220120/bc0078de/attachment.htm>
More information about the MART
mailing list