Modified CryptBot Infostealer Being Distributed

CryptBot is an infostealer that is usually distributed under the disguise of web pages that share cracks and tools. The distribution pages are exposed at the top of the search result page of search engines such as Google, so the risk of infection is high, and the number of relevant detection cases is also relatively high. The ASEC analysis team had thus advised users on these relevant threats in the previous blog posts.

CryptBot is one of the most actively-changing malware with its distribution pages constantly being newly-created. This blog will explain the details of the recently modified version of the CryptBot that is currently being distributed.

When the user clicks the download button in a post disguised as a cracks and tools sharing website created by the attacker, the user is redirected multiple times, ultimately redirected to the distribution page, and new types of such redirections are constantly being created. The figure below shows relatively newly-created distribution pages.

Figure 1. Examples of web pages distributing malware

Not only are the distribution pages changing, but the CryptBot itself is also actively changing, and a new version with a large-scale modification is recently being distributed. Compared to the previous version, a few of the additional features were deleted for simplification, and the infostealing code was modified to adapt to the new browser environment.

First, a few of the distinctive features of the CryptBot were deleted. The anti-sandbox routine, which terminates without malicious behavior in the case of ‘Xeon’ environment after checking the CPU name set as the infection target, was removed. The anti-VM routine that checks the number of CPU cores and memory remains the same.

The behavior that saves the stolen information to two different folders and sends each folder to different C2 was also deleted. This means that in the previous version, there were two infostealing C2s and one C2 for downloading additional malware, but in the currently distributed version, there is only one infostealing C2.

Figure 2. Comparing C2 transmission of previous CryptBot (top) and modified CryptBot (bottom)

The code shows that when sending files, the method of manually adding the sent file data to the header was changed to the method that uses simple API. user-agent value when sending was also modified. The previous version calls the function twice to send each to a different C2, but in the changed version, one C2 URL is hard-coded in the function.

Figure 3. Comparing the C2 transmission code of the previous CryptBot (top) and the modified CryptBot (bottom)

The infostealing features of collecting TXT files on the desktop and screenshots of the screen were also deleted. The behavior of self-deletion that was performed when it was detected by an anti-VM routine or when it completed all malicious behavior and was terminated was also deleted.

Figure 4. Comparing the main routine function of the previous CryptBot (left) and the modified CryptBot (right)

Not only were the features deleted, but there were also feature improvement patches. The previous version of CryptBot used the pathname of the old version of Chrome when stealing Chrome browser information, so it could not steal information from Chrome v96 released in November 2021 and its later versions. The recently modified sample includes all the newest Chrome path names.

The previous version of CryptBot code was structured in a way that if at least one piece of data did not exist out of the list of target data for stealing, the infostealing behavior would fail. So, infostealing was successful only when the infected system used Chrome browser v81 – v95. The recently improved code can steal if the target data exists regardless of the version.

Figure 5. Comparing the pathname of the target information for stealing of the previous CryptBot (left) and the modified CryptBot (right)

The creator had thus applied a feature improvement patch for the malicious behavior and also removed many unnecessary features. As CryptBot’s packing method, internal codes, C2, etc. actively change, and as its distribution pages are easily exposed, user caution is advised.

The following is the IOC information of CryptBot that has been distributed over the past week.

[IOC Info]

  • MD5

28e1397f9233badf815e22ef2e13634f
33e6e82f629715ce89424c41a847e889
0ceba86a7ab680d71f3dc99bbbec3368
74829260d3acddf20a4cc250e24e4d5e
d02b62d008db43c824966101345d65a4
ffe738f3cd8b8dc7e698fb3ded271d98
8f3c845153fe6e83d47b747881588c72
0169a24e049b4a8737256f06a7b666d2
98a86c1d2ffd2ebf30e0cc36efa8aef9
c2c2ced2d3319f3e89e546c7e96da4f9
599d2007777226487a4eb01cef954f99
f3ab03c11b45d48d8efd4206b1d17ccd
7c942ca86fa10d68691df2c13f8b2467
3d83e57852c8e379345a8c34ad2a14c9
2a05717d483b3a8829a50cd977967040
31a6aeffae90556406e82c18abaddd65
cb0eef45148b712e666df23d0015aa82
d6227c96b116293d2d08f50e8f717357
1db0cc5e74198d5c09237795279efb28
d0396014bd3219537b179e2133d7dd18
86d1ed1246c35d69ec580ff2ce8b189f
352f837f51b792c978c27cdac4be2453
f404488eb9ace976f872e5a953c3329c
66b944035e6369c84cbb2c8c4139e556
75330228fce69f2537afb5846c69a7ca
46142e232243bd7d6cbfe8dc8d576316
70e9dfc595511ad71d543860433b02f5
9bcacf1770295c8b2ccebfe8e843ccec
ccbad7304639bd0b93baad2a877923fd
eb7e00aa720c6145aa13608a4623f40b
26f659c0b4125fcaec364fdcbdece018
fe327314eb2f29690ae99baadb888651
c9a0476bb60feb1d02fba5b22f094db6
b4a37286503fe571115a590349fc2dee
41d859a85dc5d2b405fc702f9df95265
2f9e56c5eea5f4b7b880b0d26d140b63
710f4efa4dc52b36901266fc0c09d810
f2f6b2d9575d556855f12f6d244c5e9b

  • Sending C2

rygqwf41[.]top/index.php
rygedj410[.]top/index.php
rygzil43[.]top/index.php
rygiow53[.]top/index.php
rygofx510[.]top/index.php
rygsay57[.]top/index.php
ryghim51[.]top/index.php
rygcwa58[.]top/index.php
rygvpi61[.]top/index.php
rygykd610[.]top/index.php
rygkhf63[.]top/index.php
rygckz67[.]top/index.php
rygnih710[.]top/index.php
rygcgf73[.]top/index.php
rygsvk77[.]top/index.php
rygcup71[.]top/index.php
jugpry110[.]top/index.php
juglqr13[.]top/index.php
jugqay17[.]top/index.php
jugkeo11[.]top/index.php
jugrjb23[.]top/index.php
jugxmo21[.]top/index.php
jugfwr33[.]top/index.php
jugndj31[.]top/index.php

  • Downloading C2

gewfih05[.]top/download.php?file=fusate.exe
gewfec07[.]top/download.php?file=insane.exe
gewuib08[.]top/download.php?file=scrods.exe
gewtuq10[.]top/download.php?file=swaths.exe
kanimx01[.]top/download.php?file=zoster.exe
kanlsu03[.]top/download.php?file=avulse.exe
kanefo04[.]top/download.php?file=diazin.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
guest
46 Comments
Inline Feedbacks
View all comments
trackback

[…] „Der Code zeigt, dass beim Senden von Dateien die Methode zum manuellen Hinzufügen der gesendeten Dateidaten zum Header auf die Methode geändert wurde, die eine einfache API verwendet. Der Benutzeragentenwert beim Senden wurde ebenfalls geändert“, erklärt ASEC-Bericht […]

trackback

[…] "The code shows that when sending files, the method of manually adding the sent file data to the header was changed to the method that uses simple API. user-agent value when sending was also modified," explains ASEC's report […]

trackback

[…] “The code shows that when sending files, the method of manually adding the sent file data to the header was changed to the method that uses simple API. user-agent value when sending was also modified,” explains ASEC’s report […]

trackback

[…] acordo com os investigadores da empresa Ahn Lab, uma nova variante do malware conhecido como CryptBot encontra-se a propagar em força nas últimas […]

trackback

[…] “The code shows that when sending files, the method of manually adding the sent file data to the header was changed to the method that uses simple API. user-agent value when sending was also modified,” explains ASEC’s report […]

trackback

[…] “The code exhibits that when sending recordsdata, the strategy of manually including the despatched file knowledge to the header was modified to the strategy that makes use of easy API. user-agent worth when sending was additionally modified,” explains ASEC’s report […]

trackback

[…] “The code shows that when sending files, the method of manually adding the sent file data to the header was changed to the method that uses simple API. user-agent value when sending was also modified,” explains ASEC’s report […]

trackback

[…] «El código muestra que al enviar archivos, el método de agregar manualmente los datos del archivo enviado al encabezado se cambió al método que usa API simple. También se modificó el valor del agente de usuario al enviar», explica informe de la ASEC […]

trackback

[…] Modified CryptBot Infostealer Going After Crypto Wallets https://asec.ahnlab.com/en/31802/ Clarification for Adobe Magento Vulnerabilties […]

trackback

[…] “The code shows that when sending files, the method of manually adding the sent file data to the header was changed to the method that uses simple API. user-agent value when sending was also modified,” explains ASEC’s report […]

trackback

[…] Lab’den bilgi güvenliği uzmanları keşfetti CryptBot kötü amaçlı yazılımının, saldırıya uğramış sürümler veya lisanslı […]

trackback

[…] que usa API simples. O valor do user-agent no envio também foi modificado”, explica o relatório da […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] acordo com a equipe de segurança da Laboratório Ahn, a versão mais recente e avançada do CryptBot está sendo distribuída por meio de tentadores […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] ASEC'in raporu, "Kod, dosya gönderirken, gönderilen dosya verilerini başlığa manuel olarak ekleme yönteminin basit API kullanan yönteme değiştirildiğini gösteriyor. Gönderirken user-agent değeri de değiştirildi", diye açıklıyor ASEC'in raporu. […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] security team at Ah Lab discovered a much more advanced version of CryptBot. Meanwhile, it is being distributed through […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] In keeping with the studies, CryptBot solely poses a menace to Home windows computer systems. Techniques working macOS and Linux haven’t been affected to date. Since CryptBot is especially aimed toward people who find themselves searching for cracked software program and different bypasses of copy safety, an important recommendation is: don’t set up such pirated copies (it’s higher by no means to put in them!) and solely obtain software program from reliable websites down, equivalent to official producer web sites or the Microsoft Retailer. On this manner, an infection by CryptBot, but additionally by different malware, will be averted. On prime of that, you must all the time import Home windows updates promptly and use up-to-date virus safety. Particulars in regards to the modified CryptBot model will be discovered on this weblog put up. […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] main function of CryptBot is to steal data from infected devices. Such data can be logins and passwords from accounts in […]

trackback

[…] neue CryptBot-Variante, die hier ausführlich beschrieben wird, verbreitet sich aber nicht etwa per Mail, wie so viele andere Schadprogramme. Sondern die neue […]

trackback

[…] to the security team at Ahn Lab, the latest and more advanced version of CryptBot is being distributed via tempting search results […]

trackback

[…] accordance with the safety workforce at Ahn Lab, the newest and extra superior model of CryptBot is being distributed through tempting search […]

trackback

[…] Modified CryptBot infostealer being distributed […]

trackback

[…] equipo de seguridad Ahn Lab  ha  informado que existe una campaña contra usuarios de Windows 10 capaz de no solo infectar […]

trackback

[…] Modified CryptBot Infostealer Being Distributed […]

trackback

[…] researchers from Ahn Lab report they have observed a new version of CryptBot, which is a malware for Windows systems with Chrome […]

trackback

[…] “The code shows that when sending files, the method of manually adding the sent file data to the header was changed to the method that uses simple API. user-agent value when sending was also modified,” explains ASEC’s report […]

trackback

[…] Zmodyfikowany CryptBot rozpowszechniany przez pirackie serwisy […]

trackback

[…] como afirma el equipo de seguridad Ahn Lab, se ha descubierto en la web una nueva versión de CryptBot que es capaz de instalar malware en […]