430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New BHUNT Stealer targets cryptocurrency wallets

Researchers spotted a new evasive cryptocurrency stealer named BHUNT that targets a list of wallets and implements multiple data-stealing capabilities. Bitdefender discovered a new evasive cryptocurrency stealer stealer dubbed BHUNT that is able to exfiltrate wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and data from the clipboard. BHUNT is […]

Bhunt malware

Researchers spotted a new evasive cryptocurrency stealer named BHUNT that targets a list of wallets and implements multiple data-stealing capabilities.

Bitdefender discovered a new evasive cryptocurrency stealer stealer dubbed BHUNT that is able to exfiltrate wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and data from the clipboard.

BHUNT is a modular stealer written in .NET, its binary files are heavily encrypted with commercial packers such as Themida and VMProtect. The samples identified by the experts are digitally signed with a digital certificate issued to a software company, but Bitdefender pointed out that the digital certificate does not match the binaries.

The samples analyzed by Bitdefender uses encrypted configuration scripts that are downloaded from public Pastebin pages. According to the experts, the malware spreads via cracked software installers and infected users in multiple countries, including Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the US.

“We noticed in our telemetry that the initial dropper process (msh.exebDQGbmsn.exe ZDVODXQFKHGIURPbexplorer.
exebWKDWFRQWDLQVLQMHFWHGFRGH0RVWLQIHFWHGXVHUVDOVRKDGVRPHIRUPRIFUDFNIRU:LQGRZV .06 RQWKHLU systems.” reads the report published by Bitdefender. “We could not capture any installer for those cracks, but we suspect they delivered the dropper for the cryptocurrency stealer. This technique is very similar to how Redline stealer delivers its payloads through fake
cracked software installers.”

Bhunt malware

The attack chain starts with the execution of an initial dropper, which writes to disk heavily-encrypted binaries that are then used to launch the main component of BHUNT. The samples identified appear to have been digitally signed with a digital certificate issued to a software company, but the digital certificate does not match the binaries. The cryptocurrency stealer has a modular structure, some of the modules analyzed by the researchers are:

  • blackjack – steal wallet files
  • chaos-crew – establish persistence and download additional payloads
  • golden7 – steal account tokens from Firefox and Chrome as well as passwords from clipboard
  • Sweet_Bonanza – steal stored passwords from supported browsers (i.e. Internet Explorer, Firefox, Chrome, Opera, and Safari)
  • mrpropper – delete artifacts from infected system

“BHUNT stealer exfiltrates information about cryptocurrency wallets and passwords, hoping for financial gain.” concludes the report that also includes Indicators od Compromise (IoCs). “Its code is straightforward and the delivery method is similar to that of existing successful malware, like Redline stealer.

  • Never install applications from untrusted sources
  • Keep your security solution up to date and never turn it off, especially if it blocks the installation of such software.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BHUNT)

[adrotate banner=”5″]

[adrotate banner=”13″]