CryptBot is an info-stealer malware distributed through malicious sites disguised as utility program downloading pages. When searching keywords such as names of certain programs, cracks, and serial numbers, the related distribution sites are exposed at the top of the search results page. Upon connecting to the page and clicking the download button, the user is redirected to the CryptBot malware downloading page.
Numerous malicious sites were created using various keywords. When searching the most popular software keywords, many malicious sites appear on the top page, and a large number of related files are also detected. If the websites below appear when surfing the web, never download or run the files from those websites.
Figure 1. Malicious sites created with various keywords
Figure 2. Redirected file download pages
The file downloaded from the distribution website is a ZIP compressed file. Inside the file is another ZIP file that contains encrypted malware and a text file with a password. Because the name of the ZIP file consists of keywords that the user has searched, the user may think of it as a normal program. The text file contains ASCII Art and a password for decompression.
Figure 3. Decompression password and ASCII Art inside txt file
The filename of the ZIP file is the same as the keyword that users have searched, but the actual malware executable file has the filename disguised as an installer as examples below.
This malware was previously distributed in 7z SFX form, but recently, it was found to be distributed in a completely different form. AhnLab deemed the packing format ‘MalPE’ and has been responding to it. Various malware strains such as Glupteba, Raccoon Stealer, and Nemty Ransomware have been packed and distributed in this format. It is a packing method that is still being actively used.
The MalPE packed sample has a random name resource item where random strings exist and String Table resource as seen below. It appear that this is to bypass anti-malware detection by being randomly changed upon every distribution.
Upon execution, the packer runs the data with ‘shellcode + PE binary’ structure in the area of virtual memory allocation after decoding and copying it. Then, the shellcode runs PE binary via process hollowing technique. Most malware strains use a similar method to hide the actual internal malicious data.
CryptBot malware steals infected PC’s information as well as various user information and sends them to the server. It also downloads and installs additional malware. The malware that is additionally downloaded is usually ClipBanker, but there have also been cases of other types of malware being distributed such as Formbook and SmokeLoader.
Currently, the additionally downloaded malware uses the same 7z SFX method packing used by the previous CryptBot. The malware runs ClipBanker and another 7z SFX file after dropping both of them. The 7z SFX file simply connects to a specific C2 and deletes itself. Such activity is thought to confirm the number and IPs of the infected PCs. The packing analysis information from 7z SFX to AutoIt is explained in detail in a previous blog post.
The picture below is a summarization of a general CryptBot-related infection flow. Additionally downloaded samples can be changed anytime if the attacker wishes to.
The attacker seems to be distributing malware after packing them in various forms to bypass anti-malware detection. There is a possibility that the attacker may use other packing methods to distribute malware in the future. The ASEC team is closely monitoring the relevant attack processes and is quickly responding every time a change occurs. Users must download software from the official distribution channels, and not use illegal programs such as crack.
AhnLab’s anti-malware solution, V3, detects and blocks MalPE and 7z SFX form of CryptBot malware using the Generic aliases below.
7z SFX form