Information on cryptocurrencies and access data for online identities can be read out. Bitdefender warns of new crypto wallet stealer BHUNT. The focus is on users worldwide.
Bitdefender Labs experts have identified a new family of crypto wallet stealing malware: BHUNT, on the one hand, can steal cryptocurrency information from a victim's digital wallet. Ultimately, this allows the attackers to freely and irrevocably transfer cryptocurrency to wallets they control. On the other hand, private access data, such as passwords, passphrases or login information from the web browser are also targeted: both for online banking and for access to social media profiles. Bitdefender Labs has been monitoring the global wallet stealer campaign since October 2021.
Bitcoin, Electrum, Ethereum and more
With BHUNT, attackers are able to exfiltrate information about Atomic, Bitcoin, Electrum, Ethereum, Exodus, Jaxx and Litecoin wallets from the clipboard. They can also extract login data and passwords from web browsers such as Firefox and Chrome, as well as passphrases that users have copied to the clipboard. All this to the financial irreparable damage of the victim.
Fast takeaway: identity theft
Although the cyber criminals primarily aim to steal crypto money, they are also looking for private access data: BHUNT can also read login data and cookies that users use in web browsers for their bank and social media accounts, for example have saved. This can also lead to identity theft.
Germany also affected
So far, the campaign has not had a geographic focus, as can be seen from the Bitdefender telemetry: "Especially when using cracked operating systems, the number of unreported cases can be high because the owners have not installed antivirus software or turn it off," says Botezatu.
Further insights at a glance
- What is unique about BHUNT is its execution flow (the path code of an application as it runs) which differs from known patterns.
- The malware uses VMProtect and Themida as packers. These in turn use a virtual software machine to emulate code parts on a virtual CPU, which has a different instruction set than conventional processors - which makes "reverse engineering" extremely difficult.
- Encrypted configuration scripts downloaded from public pastebin sites are used.
- The present BHUNT samples appear to be signed with a digital certificate. This certificate was issued to a software company, but does not match the binaries.
- The servers responsible for the exfiltration use Hopto.org, a dynamic DNS service that can point a domain name to changing IP addresses, thereby masking IP addresses.
Crypto wallets as an attractive target for criminals
Since the Bitcoin boom, the new digital currencies have continuously increased in value. This in turn has not only led to further investments, but also attracted more and more cyber criminals. So-called stealer malware specializes in gaining access to crypto wallets. Once the attackers have access to the wallet information, they can freely and irrevocably transfer funds to their own wallets.
IT security researchers have noticed an increase in such wallet stealers such as Redline Stealer and WeSteal in the past year. Bitdefender researchers continuously monitor this trend.
More at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de