Name Cryptobot Type of Malware Dropper, backdoor Location – Country of Origin China Date of initial activity 2019 Motivation Steal sensitive information from victims’ computers such as authentication credentials, social media account logins, cryptocurrency wallets, and more. Attack Vectors Fake “cracked” software (KMSPico) Targeted System Windows

Overview

Cryptobot is an advanced cryptominer that collects the victim’s wallet and account information upon infection. In December 2021 Cryptobot was observed in a campaign that targeted users with a pirated copy of the Windows operating system.

Targets

Chrome users.

Tools/ Techniques Used

Cryptbot has a long history of deployment via various means from adversaries, and it harms organizations by stealing credentials and other sensitive information from affected systems. Lately, it has been deployed via fake “cracked” software, and in this case it’s particularly insidious by posing as KMSPico.

The user becomes infected by clicking one of the malicious links and downloads either KMSPico, Cryptbot, or another malware without KMSPico. The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.

Cryptbot is capable of collecting sensitive information from the following applications:

• Atomic cryptocurrency wallet

• Avast Secure web browser

• Brave browser

• Ledger Live cryptocurrency wallet

• Opera Web Browser

• Waves Client and Exchange cryptocurrency applications

• Coinomi cryptocurrency wallet

• Google Chrome web browser

• Jaxx Liberty cryptocurrency wallet

• Electron Cash cryptocurrency wallet

• Electrum cryptocurrency wallet

• Exodus cryptocurrency wallet

• Monero cryptocurrency wallet

• MultiBitHD cryptocurrency wallet

• Mozilla Firefox web browser

• CCleaner web browser

• Vivaldi web browser

Indicators of Compromise (IoCs)

Hash

53d8d466679a01953aab35947655a8c1a2ff3c19ac188e9f40e3135553cf7556

Filenames

7ZipSfx.000 – Initial folder dropped into Temp directory
aeFdOLFszTz.dll – A legitimate copy of Microsoft Windows “ntdll.dll”
Avevano.gif – BAT Script
Carne.gif – Obfuscated AutoIT Script
Raccontero.exe – AutoIT Executable Compiler
C2
rygvpi61[.]top/index[.]php – Exfiltration address
gewuib08[.]top/download.php?file=scrods[.]exe – Download address

References

1. KMSPico and Cryptbot: A spicy combo

The post Cryptobot ( Cryptominer ) – Malware first appeared on CyberMaterial.