BHUNT Malware

BHUNT Malware Description

The boom of the cryptocurrency sector has garnered a lot of mainstream attention but it also came with the unfortunate consequence of also attracting numerous cybercriminals. As a result, multiple malware threats classified as cryptostealers have been created and unleashed in numerous attacks over the last couple of years.

The infosec researchers at Bitdefender have identified exactly such a threat tracked as BHUNT. According to their findings, BHUNT is a modular cryptowallet stealer written in the .NET software framework. The way the threat is spread most likely involves weaponized KMSPico versions. The KMSPico tool is often downloaded by people who wish to circumvent the proper registration of Microsoft products and instead unlock their full functionality illegally. As a result, BHUNT has managed to infect users from numerous countries spread across several different continents. According to Bitdefender's report, most of BHUNT's victims are located in India, followed by the Phillippines, and Greece.

Technical Details

BHUNT sets itself apart from the rest of the cryptostealer threats by exhibiting an increased focus on stealthiness and detection avoidance. The threat is packed and encrypted with Themida and VMProtect. The use of two virtual machine packers makes reverse-engineering and conducting analysis that much harder. In addition, the executable file of the threat is signed with a stolen digital signature belonging to Piriform. The signature, however, is still detected as invalid due to a binary mismatch.

BHUNT's attack chain involves a dedicated dropper placed in the \Windows\System32\ folder of the targeted system. The purpose of the dropper is to deploy BHUNT's main component as a file named 'mscrlib.exe.' The main component then proceeds to extract and initiate the additional malicious modules, each responsible for the execution of a specific intrusive task.

Modular Behavior

So far, five different BHUNT modules have been observed - 'blackjack,' 'chaos_crew,' 'golden7,' 'Sweet_Bonanza,' and 'mrproper.' The 'blackjack' module executes the crypto-related processes. First, it obtains the victim's cryptowallet details, encrypted them using base64, and then transmits them to the Command-and-Control (C2, C&C) servers of the operation. The threat targets Bitcoin, Litecoin, Ethereum, Exodus, Electrum, Atomic, and Jaxx wallets.

Via the 'chaos_crew' module, the attackers can deliver additional malicious payloads to the compromised system. The 'golden7' module is equipped with the ability to harvest passwords saved in the clipboard and then upload them to the C2. As for the 'Sweet_Bonanza' module, it can extract data that has been saved into multiple mainstream browsers such as Chrome, Opera, Safari, Firefox, etc. Finally, 'mrproper' can be instructed to clean the system from BHUNT's traces such as deleting argument files.

Diverse Attacks

Although BHUNT is clearly targeting cryptowallet addresses, the threat can be easily modified to fit into a different attack operation by targeting users' passwords or data saved in web browsers. The attackers can then compromise the victim's account passwords for banking apps and social media platforms. They can abuse the stolen information to escalate their reach, spread malicious threats, or sell the information to other cybercriminals.