Threat actors mask CryptBot malware with cracks for new games and professional-grade software.
Cybersecurity researchers at Ahn Lab discovered a new campaign to distribute CryptBot, an information stealer capable of exfiltrating saved browser passwords, cookies, browser history, crypto wallet data, credit card information, and files, from compromised endpoints. .
The campaign revolves around the creation of various websites promoting cracks for professional-grade games and computer software. These websites and landing pages are properly optimized for search engines, ranking fairly high in the search engine results pages (SERPs) for all the right terms.
lighter malware
Additionally, attackers use both custom domains and AWS-hosted sites, and in some cases, redirect visitors multiple times before taking them to the delivery page. This means that the landing page itself could be on a legitimate but compromised site.
The malware itself has also undergone a number of significant changes. The researchers say the program was slimmed down and lost some features to better hide it and distribute it more easily.
That said, the anti-sandbox routine has been removed, along with the ability to take screenshots. The malware can no longer collect data from TXT files on the desktop and no longer has the second login folder and C2 exfiltration. The latest version of the malware only has anti-VM CPU core count verification and a single C2 information stealer.
At the same time, the attackers seem to "constantly" update their C2 and drop sites, according to the researchers.
“The code shows that when sending files, the method of manually adding data from the sent file to the header has been replaced by the method using a simple API. The value of the user agent at submit time has also been changed,” the researchers said in a blog post.
"The old version calls the function twice to send each one to a different C2, but in the modified version, a C2 URL is hardcoded into the function."
The new variant also seems to work fine on all versions of Chrome, while the old ones only worked on Chrome 81 - 95.
Via: BleepingComputer