A new emerging virus dubbed BHUNT Malware has been sighted targeting cryptocurrency wallet contents, passwords, and security phrases. BHUNT Malware is yet another crypto-stealer that focuses on stealing digital currency, but unlike its peers, BHUNT specializes in stealth.
Researchers at Bitdefender first discovered BHUNT Malware and reported on the strain.
The researchers found that to evade detection and avoid triggering security warnings, BHUNT malware is packed and heavily encrypted using Themida and VMProtect, two virtual machine packers that hinder reverse-engineering and analysis by researchers.
The hackers signed the malware with a digital signature which was stolen from Piriform, the makers of CCleaner. This would allow BHUNT Malware to evade detection.
Bitdefender discovered that BHUNT is injected into explorer.exe and is likely delivered to the compromised system via KMSpico downloads, a popular utility for illegally activating Microsoft products.
KMS (Key Management Services) is a Microsoft license activation system that software pirates frequently abuse to activate Windows and Office products.
The main component of BHUNT Malware is ‘mscrlib.exe,’ which extracts further modules that are launched on an infected system to perform different malicious behavior.
Each module is designed for a specific purpose ranging from stealing cryptocurrency wallets to stealing passwords. Using a modular approach, the threat actors can customize BHUNT for different campaigns or easily add new features.
The current modules included in the BHUNT ‘mscrlib.exe’ executable are described below:
- blackjack – steals wallet file contents, encodes it with base 64, and uploads it to the C2 server
- chaos_crew – downloads payloads
- golden7 – steals passwords from the clipboard and uploads the files to the C2 server
- Sweet_Bonanza – steals information from browsers (Chrome, IE, Firefox, Opera, Safari)
- mrpropper – cleans up traces (argument files)
The targeted wallets are Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin.
The blackjack module is used to discover and steal cryptocurrency wallets on an infected device, and to send them back to the hackers remote server.
Once the threat actor gains access to the wallet’s seed or configuration file, they can use it to import the wallet on their own devices and steal the contained cryptocurrency.
Although BHUNT Malware’s focus is clearly financial, its information-stealing capabilities could enable its operators to gather much more than just crypto-wallet data.
“While the malware primarily focuses on stealing information related to cryptocurrency wallets, it can also harvest passwords and cookies stored in browser caches,” – explains Bitdefender’s report.
“This might include account passwords for social media, banking, etc. that might even result in an online identity takeover.”
Protection Against BHUNT Malware
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.