A new cryptocurrency wallet stealer named BHUNT has been spotted in the wild, adding to an ever-growing list of digital currency stealing malware. More than just crypto wallets, BHUNT is also able to steal passwords stored in browsers like Google Chrome and Mozilla Firefox, as well as passwords currently stored in the clipboard of the victim system.
BHUNT is a modular stealer written in .NET and is believed to be included with fake cracked software installers, such as Windows activator software. Once this malicious installer is executed, it drops heavily encrypted interim binaries that are used to launch the main component of the BHUNT stealer. BHUNT has been seen using commercial packers such as Themida and VMProtect to create these encrypted binaries. Once these interim binaries are executed, the BHUNT malware is unpacked and ran. The malware looks for the existence of various crypto wallets including Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin. If any crypto wallet files are found, the malware will base64 encode them and upload them to its command-and-control (C2) server. The BHUNT malware then also does a similar step of encoding and uploading any sensitive browser or clipboard information discovered.
The malware campaign has no specific target country or organization, having infected systems across the world. However, telemetry data has shown that almost all the infected systems originate from home users, who are more likely to have cryptocurrency wallet software installed on their systems or use cracked software.