fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Revamped CryptBot Malware Spread by Pirated Software Sites

Revamped CryptBot Malware Spread by Pirated Software Sites

A new version of the CryptBot info stealer was seen in distribution via multiple websites that offer free downloads of cracks for games and pro-grade software.

CryptBot is a Windows malware that steals information from infected devices, including saved browser credentials, cookies, browser history, cryptocurrency wallets, credit cards, and files.

The latest version features new capabilities and optimizations, while the malware authors have also deleted several older functions to make their tool leaner and more efficient.

Security analysts at Ahn Lab reported that the threat actors are constantly refreshing their C2, dropper sites, and the malware itself, so CryptBot is currently one of the most shifting malicious operations.

Also Read: Facts About Accountability PDF That You Need to Know About

Using search results for delivery

According to the Ahn Lab report, the CryptBot threat actors distribute malware through websites pretending to offer software cracks, key generators, or other utilities. 

To gain wide visibility, the threat actors utilize search engine optimization to rank the malware distribution sites at the top of Google search results, providing a stable stream of prospective victims.

According to screenshots shared of the malware distribution sites, the threat actors use both custom domains or websites hosted on Amazon AWS.

Some of the websites used for CryptoBot distribution
Some of the websites used recently for CryptoBot distribution
Source: Ahn Lab

The malicious websites are constantly being refreshed, so there’s a wide variety of ever-shifting lures to draw users onto the malware distribution sites. 

Visitors of these sites are taken through a series of redirections before they end up on the delivery page, so the landing page could be on a compromised legitimate site abused for SEO poisoning attacks.

We have seen the same malware operators using fake VPN sites to deliver CryptBot to victims in previous years, so search engine abuse isn’t a new trick.

Also Read: 5 Brief Concepts Between Data Protection Directive vs GDPR

Features removed

Fresh samples of CryptBot indicate that its authors want to simplify its functionality and make the malware lighter, leaner, and less likely to be detected.

In this context, the anti-sandbox routine has been removed, leaving only the anti-VM CPU core count check in the newest version.

Also, the redundant second C2 connection and second exfiltration folder were both removed, and the new variant only features a single info-stealing C2.

“The code shows that when sending files, the method of manually adding the sent file data to the header was changed to the method that uses simple API. user-agent value when sending was also modified,” explains ASEC’s report

“The previous version calls the function twice to send each to a different C2, but in the changed version, one C2 URL is hard-coded in the function.”

Another feature the CryptBot’s authors have scrapped is the screenshot function and the option of collecting data on TXT files on the desktop, which were too risky and perhaps easily detected during exfiltration.

Works on all Chrome versions

On the other hand, the latest version of CryptBot brings some targeted additions and improvements that make it a lot more potent.

In previous versions, the malware could only successfully exfiltrate data when deployed against Chrome versions between 81 and 95.

This limitation arose from implementing a system that looked for user data in fixed file paths, and if the paths were different, the malware returned an error.

Pathname discovery system comparison (new right)
Pathname discovery system comparison (new right) – ASEC

Now, it searches on all file paths, and if user data is found anywhere, it exfiltrates them regardless of the Chrome version.

Considering that Google rolled out chrome 96 in November 2021, CryptBot remained ineffective against most of its targets for roughly three months, so fixing this problem was well overdue for its operators.

As CryptBot primarily targets people searching for software cracks, warez, and other methods of defeating copyright protection, simply avoiding the downloading of these tools will prevent infection by this malware and many others.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us