# CryptBot Infostealer Constantly Changing and Being Distributed **asec.ahnlab.com/en/26052/** August 9, 2021 CryptBot is an Infostealer that is being distributed through malicious websites disguised as software download pages. Because there are multiple malicious websites created and many of them appear on the top page when keywords such as cracks and serials of popular commercial software are entered in search engines, many users are subject to download the malware and run it. In addition, the sample uses the SFX packing, making difficult to distinguish between normal and malicious files, and changes occur multiple times a day. Since the websites disguise themselves as download pages, users are convinced by the seemingly normal file running malware multiple times even when V3 products block it, which requires users’ extra caution. AhnLab has been continually making blog posts about aiming to raise people’s awareness of its danger. ----- Figure 1. Sample of CryptBot distribution website As shown in the figure below, the malware is compressed into many layers. The final compressed file has a txt file that contains password. ----- Figure 2. Compressed file downloaded from malicious website When the malware is run, it creates folder names such as 7z.SFX.xxx and IXPxxx.TMP in the %temp% path and files necessary for the infection in the folder. Filenames and extensions vary for every change. The created files are as follows. Figure 3. Dropped files BAT script (Far.vsdx) Autoit script (Impedire.vsdx) Encrypted CryptBot binary (Vento.vsdx) Autoit executable (Copre.vsdx) The malware runs the BAT script after creating files. See below for the structure of the script. ----- Figure 4. BAT script One thing to note about the script is that it changes periodically. As it can be easily changed, the attacker alters the pattern by slightly modifying the grammar while maintaining its features. The following table shows the date of BAT script changes in CryptBot samples that were collected for about a month. As shown below, the change cycle has become shorter. Confronto.jar June 16th, 2021 Aprile.accdr July 6th, 2021 Virtuoso.bmp July 16th, 2021 Orti.html July 17th, 2021 Pensai.wmz July 21st, 2021 Lume.eml July 22nd, 2021 Ritroverai.aiff July 23rd, 2021 Povera.ppsm July 24th, 2021 Ideale.dotx July 25th, 2021 Affonda.wms July 26th, 2021 Esaltavano.tiff July 28th, 2021 Table 1. Date of changes The following table shows the main changes. As shown below, while the feature of the BAT script itself did not change, the grammar or environment variable used has changed slightly. Aprile.accdr if %userdomain%==DESKTOP-QO5QU33 exit 2 Ripreso.exe.com findstr /V /R “^AGbW…xiSv$” Fianco.accdr >> Ripreso.exe.com” copy Fra.accdr B start Ripreso.exe.com B ping 127.0.0.1 -n 30 Virtuoso.bmp ----- **Set PRehIgqfWNWhFAxNgjgzQhcGBgikLpocQQTp=DESKTOP-** **Set zVqJPft=QO5QU33** **Set bizASaCEemlwdhJhU=MZ** if %userdomain%==%PRehIgqfWNWhFAxNgjgzQhcGBgikLpocQQTp% exit 8 Compatto.exe.com findstr /V /R “^viIO…hWwHg$” Baciandola.bmp >> Compatto.exe.com” copy Corano.bmp w start Compatto.exe.com w ping 127.0.0.1 -n 30 Lume.eml **echo XrHAkUeB** **echo XrHAkUeB** if %userdomain%==DESKTOP-QO5QU33 exit 2 Mese.exe.com findstr /V /R “^VtHMWSo…DuPlDDuA$” Giorni.eml >> Mese.exe.com” copy Scossa.eml h start Mese.exe.com h ping 127.0.0.1 -n 30 Esaltavano.tiff Set PaWlwDiebzBsRrpYjIjVHC=DESKTOP Set hQfTrWvlasdWKZ=QO5QU33 if %computername%==%PaWlwDiebzBsRrpYjIjVHC% exit Set OzhMvyIxp=MZ Hai.exe.com findstr /V /R “^fqCO…pHiJlm$” Affettuosa.tiff >> Hai.exe.com” copy Saluta.tiff S start Hai.exe.com S ping localhost -n 30 Table 2. Changed content When the BAT script is executed, it copies the Autoit executable with the filename [random name].exe.com. It then copies the Autoit script with a certain filename and gives the script as an argument to run the file. Figure 5. Executed Autoit process ----- The Autoit script decrypts the encrypted binary to copy it to the virtual memory area and run it. Figure 6. Decrypted CryptBot malware binary When the CryptBot binary loaded in the memory is executed, it scans for directories of certain anti-malware products. When the directory exists, the binary generates a random number and performs Sleep for that amount. It is assumed that delay execution is done to bypass detection. Figure 7. Scan code for directories of anti-malware products The code then scans for the existence of a particular directory. If the directory already exists, the script considers either a duplicate execution or an already infected system, and selfdeletes after termination. The name of the directory differs for each sample. Figure 8. Duplicate execution scan When performing self-deletion, the script runs the following cmd command through the ShellExecuteW function. ----- /c rd /s /q %Temp%\[name of the created directory] & timeout 2 & del /f /q “[malware execution path]” Table 3. Command for self-deletion When the malware begins its malicious behaviors, it creates a random directory in %TEMP% and collects various user information. The following shows the information collected by the sample. Browser Information (Chrome, Firefox, and Opera) Cookie Saved form data Saved account names and passwords Cryptocurrency wallet information System info Name of executed sample OS and Country information User account and PC name Hardware information List of installed programs Screenshots Figure 9. Collected data of accounts and passwords saved in browsers ----- Figure 10. Collected data of system info When information collection is complete, everything in the created directory is compressed into a ZIP file with a password and sent to C2. The .top domain which changes often is mainly used for the C2 URL. For a CryptBot malware sample, there are usually 3 C2s in total: 2 for sending information and 1 for downloading additional malware. Figure 11. C2 Transmission Code When the C2 transmission process is complete, the malware accesses a particular URL and runs additional malware after downloading it. ClipBanker types are usually downloaded. Figure 12. Code for downloading and running additional malware If the system is infected by this malware, confidential information such as account names, passwords, and cryptocurrency wallets is leaked. It is highly likely that there will be secondary damages exploiting the leaked information, users need to take caution. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases: ----- Trojan/Win.CryptLoader.XM122 Trojan/BAT.CryptLoader.S1612 Trojan/BAT.CryptLoader.S1610 Win-Trojan/MalPeP.mexp [IOC Info] c2bc3bef415ae0ed2e89cb864fff2bfc 58774ece556b0a1e01443ea1c3c68e5a ewais32[.]top/index.php morxeg03[.]top/index.php winxob04[.]top/download.php?file=lv.exe smaxgr31[.]top/index.php morers03[.]top/index.php gurswj04[.]top/download.php?file=lv.exe **Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to** **check related IOC and detailed analysis information.** [Categories:Malware Information](https://asec.ahnlab.com/en/category/malware-information/) -----