Bitdefender has identified a new stealer malware called BHUNT that allows the attackers to access cryptocurrency wallets and irreversibly transfer funds to wallets under their control.

The continued rise in the value of cryptocurrencies has made cyberattacks on cryptocurrency wallets highly lucrative. Large organizations often use cryptocurrencies to improve business reach, reduce transaction costs, prevent chargeback fraud, and make cross-border transactions much easier. Businesses may hold large amounts of cryptocurrencies, so any attack that gives a hacker access to a business cryptocurrency wallet can result in a significant payday; however, attacks on individuals who hold far smaller amounts of cryptocurrencies are also being conducted. Anyone who holds cryptocurrencies is at risk of an attack.

Malware developers have created several malware variants that are primarily used to access to cryptocurrency wallets, including WeSteal malware, which was first identified in 2020 and is available on underground marketplaces. There are many other malware families that have cryptocurrency stealing capabilities, such as the Redline Stealer, which is now one of the most common malware threats. According to an analysis by the blockchain data platform Chainalysis, cybercriminals stole $14bn (£103bn) in cryptocurrency in 2021 – a 79% increase from the previous year.

BHUNT is a new stealer that targets Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin wallets, can steal passwords stored in Chrome and Firefox browsers, and captures passwords from the clipboard, although it is a specialized malware for stealing wallet files.

BHUNT is a stealthy cryptocurrency stealer that is heavily encrypted using two virtual machine packers – Themida and VMProtect – which hamper attempts by security researchers to reverse-engineer and analyze the malware. The malware is signed with a digital signature stolen from the CCleaner developer Piriform, although the certificate does not match the binaries, and the malware uses encrypted configuration scripts downloaded from public Pastebin pages. When installed, the malware is injected into explorer.exe.

Five modules have been identified, one is concerned with stealing wallet file contents, another module downloads payloads, one steals passwords from the clipboard and exfiltrates to its C2 server, another is a browser password stealer, and the last module cleans up traces of the infection.

The malware has been used in attacks worldwide, especially in South Asia, the Philippines, and Greece, and appears to be distributed in a similar way to other successful information stealers such as the Redline Stealer, through cracks and product activators such as KMSpico.

To protect against infection with the BHUNT stealer, individuals should not download applications and programs from unofficial repositories and should avoid pirated software, software cracks, and other illegal product activators. Businesses should consider implementing defenses against cryptocurrency stealers such as antivirus software on all endpoints and technical solutions to prevent downloads of executable files.

Cryptocurrency stealers, banking trojans, malware downloaders, spyware, adware, and ransomware are often distributed in fake software and software cracks. While policies can be set that prohibit employees from downloading unauthorized software, those policies are often ignored by employees who download unauthorized software to allow them to work more efficiently.

One of the most effective ways of blocking the downloads of unauthorized and pirated software is to use a web filter. WebTitan can be configured to block access to hacking websites, peer-2-peer file-sharing networks, and other sites where cracks, pirated software, and illegal product activators are available.

WebTitan can also be configured to prevent the downloading of files commonly associated with malware, such as executable files, and controls can be implemented for individual users, user groups, departments, or organization wide.