A new cryptocurrency wallet stealer named BHUNT has been spotted in the wild, adding to an ever-growing list of digital currency stealing malware. More than just crypto wallets, BHUNT is also able to steal passwords stored in browsers like Google Chrome and Mozilla Firefox, as well as passwords currently stored in the clipboard of the victim system.
BHUNT is a modular stealer written in .NET and is believed to be included with fake cracked software installers, such as Windows activator software. Once this malicious installer is executed, it drops heavily encrypted interim binaries that are used to launch the main component of the BHUNT stealer. BHUNT has been seen using commercial packers such as Themida and VMProtect to create these encrypted binaries. Once these interim binaries are executed, the BHUNT malware is unpacked and ran. The malware looks for the existence of various crypto wallets including Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin. If any crypto wallet files are found, the malware will base64 encode them and upload them to its command-and-control (C2) server. The BHUNT malware then also does a similar step of encoding and uploading any sensitive browser or clipboard information discovered.
The malware campaign has no specific target country or organization, having infected systems across the world. However, telemetry data has shown that almost all the infected systems originate from home users, who are more likely to have cryptocurrency wallet software installed on their systems or use cracked software.
Analyst Notes
It is highly recommended to only use official and properly licensed software on all devices. Besides the legal ramifications of using it, pirated software installers are commonly used to spread malware and infect systems with anything from stealer malware to ransomware. Likewise, it is important to use appropriate endpoint security solutions on systems and keep them up to date. This will help prevent malware from infecting a system before it can perform any malicious activities. Finally, it is recommended to store cryptocurrency wallet private keys offline, either on a non-Internet connected device or in a hardware wallet. With the rise of Bitcoin, threat actors are increasingly writing malware to steal cryptocurrency wallet files, so making sure they are securely stored is crucial to help prevent them from siphoning all of the currency out of an account.
https://thehackernews.com/2022/01/new-bhunt-password-stealer-malware.html
https://www.bitdefender.com/blog/labs/poking-holes-in-crypto-wallets-a-short-analysis-of-bhunt-stealer/
