| Name | Cryptobot |
| Type of Malware | Dropper, backdoor |
| Location – Country of Origin | China |
| Date of initial activity | 2019 |
| Motivation | Steal sensitive information from victims’ computers such as authentication credentials, social media account logins, cryptocurrency wallets, and more. |
| Attack Vectors | Fake “cracked” software (KMSPico) |
| Targeted System | Windows |
Overview
Cryptobot is an advanced cryptominer that collects the victim’s wallet and account information upon infection. In December 2021 Cryptobot was observed in a campaign that targeted users with a pirated copy of the Windows operating system.
Targets
Chrome users.
Tools/ Techniques Used
Cryptbot has a long history of deployment via various means from adversaries, and it harms organizations by stealing credentials and other sensitive information from affected systems. Lately, it has been deployed via fake “cracked” software, and in this case it’s particularly insidious by posing as KMSPico.
The user becomes infected by clicking one of the malicious links and downloads either KMSPico, Cryptbot, or another malware without KMSPico. The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.
Cryptbot is capable of collecting sensitive information from the following applications:
- Atomic cryptocurrency wallet
- Avast Secure web browser
- Brave browser
- Ledger Live cryptocurrency wallet
- Opera Web Browser
- Waves Client and Exchange cryptocurrency applications
- Coinomi cryptocurrency wallet
- Google Chrome web browser
- Jaxx Liberty cryptocurrency wallet
- Electron Cash cryptocurrency wallet
- Electrum cryptocurrency wallet
- Exodus cryptocurrency wallet
- Monero cryptocurrency wallet
- MultiBitHD cryptocurrency wallet
- Mozilla Firefox web browser
- CCleaner web browser
- Vivaldi web browser
Indicators of Compromise (IoCs)
Hash
53d8d466679a01953aab35947655a8c1a2ff3c19ac188e9f40e3135553cf7556
Filenames
7ZipSfx.000 – Initial folder dropped into Temp directory
aeFdOLFszTz.dll – A legitimate copy of Microsoft Windows “ntdll.dll”
Avevano.gif – BAT Script
Carne.gif – Obfuscated AutoIT Script
Raccontero.exe – AutoIT Executable Compiler
C2
rygvpi61[.]top/index[.]php – Exfiltration address
gewuib08[.]top/download.php?file=scrods[.]exe – Download address
