In the most recent CryptBot campaigns, CryptBot operators are taking advantage of Search Engine Optimization (SEO) in an effort to get malicious sites to appear first when searching for keywords on Google. The sites are being created and hosted with AWS and use different methods to entice users to visit them, including offering cracked or pirated versions of software. Changes on the backend of CryptBot have been made as well. The newest version has allowed it to operate more smoothly, with less chance of being detected. Some of the additional changes that were made to CrypBbot can be found below.
- The authors want to simplify the trojan’s functionality, and hence, they removed the anti-sandbox routine, redundant second C2 connection, and two exfiltration folders where stolen information is stored.
- The code shows that when sending files, the tactic of manually adding the sent file data to the header is now changed to using a simple API, along with a change in a user-agent value.
- The previous version called the function two times to send each to a different C2. However, the new version has a hard-coded C2 URL in the function.
- Additionally, CryptBot’s authors removed the screenshot function and the option of gathering data on TXT files on the desktop, which could be easily noticed during exfiltration.
- The new strain has made targeted additions and improvements for better effectiveness. Now, it searches all file paths, user data anywhere, and infiltrates them regardless of the Chrome version.