BHUNT password stealer targets crypto wallets through cracked software

BHUNT is being regarded as an evasive crypto wallet stealer, just like previously identified Redline Stealer and CryptBot.

Cybersecurity and antivirus vendor Bitdefender has detected a new kind of malware targeting cryptocurrency wallets through cracked software installers. Dubbed BHUNT by researchers; upon installation, the software extracts passphrases and seeds from popular wallets on infected devices.

Details of the Evasive Malware

Bitdefender researchers have regarded BHUNT as an evasive crypto wallet stealer, just like previously identified Redline Stealer and CryptBot. Researchers believe the campaign is financially motivated.

Furthermore, the malware is a “modular stealer” is written in .NET and can exfiltrate content from wallets including the following:

  1. Jaxx wallet
  2. Bitcoin wallet
  3. Atomic wallet
  4. Exodus wallet
  5. Litecoin wallet
  6. Electrum wallet
  7. Ethereum wallet

In addition to this, BHUNT can steal passwords stored in the browser and passphrases stored by the clipboard.

Who’s Impacted the Most?

According to Bitdefender’s blog post, the campaign targets crypto wallets located in the following countries:

  1. India
  2. Spain
  3. Japan
  4. Egypt
  5. Norway
  6. Australia
  7. Indonesia
  8. Singapore
  9. South Africa
  10. United States

Furthermore, Bitdefender researchers warn that home users are most vulnerable to BHUNT.

All our telemetry originated from home users who are more likely to have cryptocurrency wallet software installed on their systems. This target group is also more likely to install cracks for operating system software, which we suspect is the main infection source.


Attack Sequence

Attackers use cracks as the primary infection source to gain initial access, which is the same strategy leveraged in previous campaigns, such as where KMSPico was used as a conduit to deploy malware.

Credit: Bitdefender

The attack sequence commences after the initial dropper is executed, after which heavily-encrypted interim binaries are written and used to launch the stealer’s main component- the .NET malware.

Additionally, the malware incorporates different modules to start its malicious activities, and the stolen contents are transferred to a remote server. This information theft can gravely impact a user’s privacy.

Crypto users are warned that BHUNT steals passwords and account tokens from the browser cache, which could be exploited to commit identity theft or financial fraud. Therefore, refrain from downloading cracked software or applications from third-party stores.

More malware in crack software news

Malware droppers for hire target users on fake pirated software sites

This malware hides behind free VPN & pirated security software keys

CopperStealer malware stealing Facebook, Apple, Google passwords

New malware in pirated games disables Windows Updates, Defender

Torrent uploader CracksNow caught distributing GrandCrab ransomware

Related Posts