BHUNT ! Crypto Wallet Malware

A new crypto wallet theft malware dubbed ‘BHUNT’ has been detected targeting the contents of cryptocurrency wallets, passwords and passphrases.

BHUNT is packaged and encrypted using Themida and VMProtect, two virtual machine wrappers that prevent reverse engineering and analysis. The threat actors signed the malware executable with a digital signature stolen from Piriform, the creators of CCleaner. Since the malware developers copied it from an unrelated executable, it is marked invalid due to a binary mismatch.

Researchers discovered that is injected into explorer.exe and is likely delivered to the compromised system via KMSpico downloads, a popular utility for illegally activating Microsoft products.

Advertisements

The main component of BHUNT is ‘mscrlib.exe’, which extracts more modules that are launched on an infected system to perform various malicious behaviors.

Each module is designed for a specific purpose ranging from cryptocurrency wallet theft to password theft. Using a modular approach, threat actors can customize BHUNT for different campaigns or easily add new features.

twenty one – steals the content of the wallet file, encodes it with base 64 and uploads it to the C2 server
chaos_team – download payloads
golden7 – steals passwords from the clipboard and uploads the files to the C2 server
sweet_bonanza – steal information from browsers (Chrome, IE, Firefox, Opera, Safari)
mrproper – clean traces (argument files)

The target portfolios are Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Y litecoin.

The blackjack module is used to find and steal cryptocurrency wallets on a user’s device and send them to a remote server under the attacker’s control.

Once the threat actor gains access to the wallet configuration or seed file, they can use it to import the wallet onto their own devices and steal the cryptocurrency contained therein.