Changed Form of CryptBot Infostealer Disguised as Software Crack Download

CryptBot Infostealer disguised as commercial software downloads are constantly making changes and are actively being distributed. In the previous post of ASEC blog, the ASEC analysis team has explained the change process of BAT script in malware. This post will discuss the change in its form. CryptBot Infostealer has changed its form from 7z SFX to MS IExpress and used a trick to prevent decompression using regular methods.

CryptBot Infostealer is distributed via malicious websites by disguising itself as websites to download cracks and serial key of commercial software. For more information about CryptBot Infostealer, refer to the post below.

The previous CryptBot Infostealer used 7z SFX method for distribution. When executed, the internal files are dropped to the directory created in the Temp path, which then executes the BAT script file. The samples that are recently being distributed have a modified packing method.

The new packing method is MS IExpress. This file is built with the portable executable packaging tool that is installed by default in the Windows operating system.

Figure 1. Built-in IExpress Builder in Windows

Files built with IExpress normally decompress the CABINET file of RCData resource within to be dropped and can execute a specific file or a command depending on the configuration set when creating.

Figure 2. Resource inside the IExpress file

CryptBot Infostealer uses a simple trick to its packing method to disable the unlocking of internal files using regular methods. It has embodied the same feature as 7z SFX method where tools could not unlock the internal files.

As shown in the internal CAB file of CryptBot sample that is currently being distributed, garbage values are inserted after the file signature.

Figure 3. Differences between CAB file inside a normal file and CryptBot

If a value other than NULL exists in the location, then the compressor cannot decompress the file because it does not recognize it as a CAB file.

Figure 4. Differences between CAB file inside a normal file and CryptBot (When decompressed)

However, the built-in tool in Windows does not scan this section, which allows it to be decompressed normally, thus not causing a problem in its execution. It seems that this trick is used to disrupt analysis and bypass anti-malware product’s feature of scanning compressed files.

Further actions are identical to the previous CryptBot. Once the BAT file of the dropped files is executed, it creates Autoit binary and executes obfuscated Autoit script. This script decrypts encrypted CryptBot binary file and executes it by injecting into the memory.

There have also been noticeable modifications recently in NSIS Dropper malware that is distributed in the same way as CryptBot.

This malware was executed by a 7z SFX file inside NSIS Installer dropping numerous malware and Loader (Aspack packing) with the feature to execute them. For more information, refer to the post below.

Figure 5. Previous structure of NSIS Dropper malware

The sample that has been recently modified has changed its form to a packing built with MingW, and instead of 7z SFX dropping the malware files, they have been inserted into the Data section inside Loader.

When Loader is executed, it drops PE in its Data section with random filenames, then executes them. The Loader has now taken on the role of a Dropper. As a result, malware files cannot be detected with normal tools anymore, and it is judged that this is also to bypass anti-malware product’s feature of scanning compressed files. Loader executes all of the dropped malware and sends related information to the following C2.

  • hxxp://marisana[.]xyz
Figure 5. Loader structure of the modified NSIS Dropper malware

Just on the morning of the 15th, there has been a change in the execution method of this malware. Similar to the previous method, the malware is dropped due to 7z SFX above, but the extension of the filename remains as .exe. The filenames when dropped show the day depending on the date the sample was created.

Figure 6. Structure of dropped file changed on August 15th

The attacker actively makes modifications as such and distributes them; therefore, users need to be cautious. It is advised for the users to refer to the previous post, and be aware of websites that distribute malware when browsing the web to download files. Additionally, it is recommended for users to download software from official sources.

AhnLab’s anti-malware software, V3, detects and blocks these samples using the following aliases.

  • Trojan/Win.CryptLoader.XM122
  • Execution/MDP.Scripting.M3728
  • Trojan/Win.MulDrop

[IOC Info]



Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
Inline Feedbacks
View all comments