B3hpy

The B3hpy malware is a threat, which is written in the Python programming language. Malware analysts first identified this threat in 2019 on Windows systems located in the Middle East. It would appear that the B3hpy threat is being distributed with the help of spam emails. Researchers claim that the B3hpy malware is linked to the BadPatch project – an operation that has been active since 2017 and has been targeting mainly Middle Eastern users.

As we mentioned, the B3hpy threat is propagated via phishing emails. The emails in question appear to contain a malicious '.scr' attachment. This filetype is rather outdated, as it indicates a screensaver file. However, '.scr' files can be altered in order to serve as a self-extracting archive. If the user launches the malicious attachment, there will be two files planted on their system – 'd.exe,' which contains the payload of the B3hpy malware, and 's.docx,' which is a decoy document file. The latter serves to distract the user from the shady activity taking place on their system. The 's.docx' file functions as a harmless document so that the user may fail to spot the malicious 'd.exe' file, which will plant the B3hpy malware on their system.

When the B3hpy malware is successfully deployed, it will immediately connect to the C&C (Command & Control) server of the attackers. Next, the B3hpy threat would send the C&C server information regarding the host – MAC address, OS version, hardware details, and a compiled list of the data located in the 'Program Files (x86),' 'Program Files,' 'Microsoft.NET\Framework64,' 'Microsoft.NET\Framework' directories. Once this is successfully executed, the B3hpy threat would begin extracting additional payloads from the C&C server.

The B3hpy threat is programmed to target .doc, .docx, .txt, .xlsx, .xls, .rar, .pdf, and .mdb. The targeted files will be transferred to the attackers via email sent to 'b3h@emails.pal4u.net.' This specific email address is associated with the BadPatch project. The B3hpy malware is also able to obtain login credentials saved in the Google Chrome Web browser. If the user has connected a USB flash drive, the B3hpy threat will scan them for the presence of files that match its criteria. If any are detected, they will be promptly copied and transferred to the attackers via email.

It would appear that the B3hpy threat is mainly used against Palestinian users. However, malware researchers have spotted B3hpy campaigns that targeted users in the United States, India, Brazil, and Colombia.