New BHUNT Password Stealer Malware Attacks Cryptocurrency Wallets

When cryptocurrency burst into the scene, it was deemed hackproof and almost impossible to steal. However, fraudsters are finding new and ingenious methods to fleece the gullible with time. The latest type of fraud is a new mysterious crypto wallet stealer named BHUNT spotted in the wild, reports Bhunt is the newest addition to a list of digital currency stealing malware that has been designed with the goal of financial gain. Other similar digital currency stealing malware includes CryptBot, Redline Stealer, and WeSteal.

malware attack

BHUNT- written in .NET and can exfiltrate the majority of the wallets

Bitdefender researcher said in a technical report on Wednesday that BHUNT is written in .NET, and it is a stealer which can exfiltrate the majority of the wallets, including Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets. Its exploits include stealing contents, passwords stored in the browser, and passphrases captured from the clipboard.

The campaign is relatively widespread globally and includes countries such as Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the U.S. The malware is suspected to be delivered to vulnerable systems via cracked software installers.

The modus operandi of the malware to steal information is much akin to similar cybercrime campaigns that have leveraged tools such as KMSPico as a conduit for deploying malware. The process uses cracks as an infection source for initial access. Most infected users had some form of crack for Windows (KMS) on their systems, reports Bitdefender.

Malware attack introduces a dropper that steals information

The malware attack commences with the execution of an innocuous-looking dropper. The dropper later starts writing heavily-encrypted interim binaries that are then used to launch the main component of the stealer — a .NET malware. All the results are then exfiltrated to a remote server —

  • Blackjack – exfiltrate wallet file contents.
  • Chaos-crew – download additional payloads.
  • Golden7 – exfiltrate cookies from Firefox and Chrome as well as passwords from the clipboard
  • Sweet_ Bonanza – steal stored passwords from browsers such as Internet Explorer, Firefox, Chrome, Opera, and Safari, and
  • mrpropper – clean up traces

The stolen information could have severe impacts since the passwords and account tokens stolen from the browser cache could be abused to commit fraud and to gain other financial benefits. The researchers said that the best way to avoid this threat is to install software from untrusted sources.