Several websites offering free downloads of cracks for games and professional software have detected a new version of the CryptBot info stealer in circulation. CryptBot is a Windows malware that collects stored browser credentials, cookies, browsing history, cryptocurrency wallets, credit cards, files, and other information from affected systems.
The current version includes new features and improvements, as well as the deletion of some previous tasks to make the malware tool simpler and more efficient. According to security experts at Ahn Lab, CryptBot is now one of the most moving harmful operations. Threat actors continually renew their C2, dropper sites, and the malware itself. Hence, CryptBot is one of the most fluctuating malicious operations.
CryptBot threat actors, as per the Ahn Lab report, transmit malware through websites posing as software crackers, key generators, or other applications. Threat actors use search engine optimization to place malware distribution sites towards the top of Google search results to attain widespread exposure, ensuring a steady stream of potential victims.
Threat actors employ both bespoke domains and websites hosted on Amazon AWS, as per screenshots posted of malware distribution sites. As harmful websites are updated regularly, there’s a range of ever-changing lures to get visitors to go to malware distribution sites.
Visitors to these sites are sent via a succession of pages before arriving at the delivery page; therefore, the landing page might be on a hacked genuine site exploited for SEO poisoning. In prior years, it has been seen that the same malware operators use false VPN sites to distribute CryptBot to victims. So, search engine exploitation isn’t a new tactic.
New samples of CryptBot signify that its authors intend to reduce its functionality and make the malware smaller, leaner, and less likely to be discovered. The anti-sandbox method has been eliminated in this context, leaving just the anti-VM CPU core count check in the most recent version. The unnecessary second C2 connection and second exfiltration folder have also been eliminated, leaving the new variation with just one info-stealing C2.
“The code shows that when sending files, the method of manually adding the sent file data to the header was changed to the method that uses simple API. user-agent value when sending was also modified,” clarifies the ASEC’s report. “The previous version calls the function twice to send each to a different C2, but in the changed version, one C2 URL is hard-coded in the function.”
The snapshot capability and the option of collecting data on TXT files on the desktop were removed by the CryptBot writers since they were too hazardous and may be easily spotted during exfiltration. As CryptBot mainly targets individuals looking for software cracks, warez, and other means of circumventing copyright protection, merely avoiding the download of these tools will stop infection by this and other malware.
