CryptBot is an infostealer that is usually distributed under the disguise of web pages that share cracks and tools. The distribution pages are exposed at the top of the search result page of search engines such as Google, so the risk of infection is high, and the number of relevant detection cases is also relatively high. The ASEC analysis team had thus advised users on these relevant threats in the previous blog posts.
- CryptBot Infostealer Constantly Changing and Being Distributed
- CryptBot Info-stealer Malware Being Distributed in Different Forms
CryptBot is one of the most actively-changing malware with its distribution pages constantly being newly-created. This blog will explain the details of the recently modified version of the CryptBot that is currently being distributed.
When the user clicks the download button in a post disguised as a cracks and tools sharing website created by the attacker, the user is redirected multiple times, ultimately redirected to the distribution page, and new types of such redirections are constantly being created. The figure below shows relatively newly-created distribution pages.
Not only are the distribution pages changing, but the CryptBot itself is also actively changing, and a new version with a large-scale modification is recently being distributed. Compared to the previous version, a few of the additional features were deleted for simplification, and the infostealing code was modified to adapt to the new browser environment.
First, a few of the distinctive features of the CryptBot were deleted. The anti-sandbox routine, which terminates without malicious behavior in the case of ‘Xeon’ environment after checking the CPU name set as the infection target, was removed. The anti-VM routine that checks the number of CPU cores and memory remains the same.
The behavior that saves the stolen information to two different folders and sends each folder to different C2 was also deleted. This means that in the previous version, there were two infostealing C2s and one C2 for downloading additional malware, but in the currently distributed version, there is only one infostealing C2.
The code shows that when sending files, the method of manually adding the sent file data to the header was changed to the method that uses simple API. user-agent value when sending was also modified. The previous version calls the function twice to send each to a different C2, but in the changed version, one C2 URL is hard-coded in the function.
The infostealing features of collecting TXT files on the desktop and screenshots of the screen were also deleted. The behavior of self-deletion that was performed when it was detected by an anti-VM routine or when it completed all malicious behavior and was terminated was also deleted.
Not only were the features deleted, but there were also feature improvement patches. The previous version of CryptBot used the pathname of the old version of Chrome when stealing Chrome browser information, so it could not steal information from Chrome v96 released in November 2021 and its later versions. The recently modified sample includes all the newest Chrome path names.
The previous version of CryptBot code was structured in a way that if at least one piece of data did not exist out of the list of target data for stealing, the infostealing behavior would fail. So, infostealing was successful only when the infected system used Chrome browser v81 – v95. The recently improved code can steal if the target data exists regardless of the version.
The creator had thus applied a feature improvement patch for the malicious behavior and also removed many unnecessary features. As CryptBot’s packing method, internal codes, C2, etc. actively change, and as its distribution pages are easily exposed, user caution is advised.
The following is the IOC information of CryptBot that has been distributed over the past week.
- Sending C2
- Downloading C2
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.