Hacker hunting for cryptocurrency showing crypto-stealers

Beware the Crypto Stealers

Forget the market sell-off, hackers are the real threat crypto fans ought to look out for.

While  cryptocurrencies have gone from red hot to full on meltdown in recent months, with both retail and institutional investors losing substantial sums amidst the sell-off, threat actors don’t show any signs of shying away from finding new and innovative ways to pursue this lucrative and relatively new financial category with increasingly complex and stealthy crypto-stealers.

Indeed, just this past month, the US Federal Bureau of Investigation (FBI) warned criminals have created fraudulent apps that mimic real financial services brands to dupe investors into parting with $42.7 million in cryptocurrency over a period of about six months.

This fast-evolving part of the finance industry is certainly keeping cybersecurity defenders on their toes and has become one of the most targeted areas by ransomware criminals, with the average cost of remediation estimated around 1.8 million.

Bitcoin’s creation in 2009 spurred a gold-rush mentality among both investors and malware actors alike who saw it as a can’t lose lottery ticket to get rich quick. A dozen years on, there are now more than 12,000 cryptocurrencies (March 2022) with the market more than doubling from the start of 2021 to the same point a year later. At the end of 2021, there were almost 1,000 new currencies being launched each month, with around 300 million people holding crypto assets. Even after June’s sell-off, there were still $1.1 trillion worth of digital assets in circulation; not bad for an industry that has earned legions of critics and skeptics.

Amidst the sector’s phenomenal growth, crypto as a form of payment has become one of the principle backbones of the ransomware business.

It’s estimated that Bitcoin accounts for around 98% of ransomware payments. Last year, for example, ransomware gang REvil demanded payment of 60 million USD in Bitcoin from IT firm Kaseya, in return for a decryption key to unlock file access. The attack affected US financial institutions, including American Express and Chase, among the hundreds of Kaseya customers impacted. Though the ransom was never paid, it underlined how popular cryptocurrency is among cybercriminals – largely because it offers a high degree of anonymity, making activity hard to track. Without traditional banking structures and regulations, accounts are simple to set up and transactions quick to process.

Now, some criminals are taking a more direct approach and going straight for stealing the contents of victims’ crypto wallets.

Beware of the scavenger

BHunt Scavenger is among the latest threats targeting cryptocurrency holdings. It scavenges systems for access to cryptocurrency accounts, while also working to hide its activities on the system and to slow analysis and detection in a variety of other ways.

While BHunt goes about its business harvesting currency from victims’ crypto wallets, it also attempts to steal browser passwords. This is likely intended to help find login credentials stored there for online crypto accounts, along with online banking or social media accounts that could be used for further financial gains.

In certain situations, BHunt can also deploy a cryptominer on the victim’s device – a practice known as ‘cryptojacking’ that uses the infected computer’s processing power to mine for cryptocurrency – or monitor their clipboard for security passphrases to gain access to other online accounts. With this information they can permanently lock users out and steal investments.

Catching a master criminal

BHunt is a master of disguise. Once it has gained access, it tries to slow analysis and evade detection by obfuscating its execution files using commercial ‘binary packers’ (which change the code by compressing or encrypting it) or splitting its functionality across multiple files. Both techniques aim to make it less readily identifiable by programmes looking to detect cyberthreats.

BHunt also employs a devious strategy to use legitimate software tools for nefarious purposes. This makes it extremely difficult to detect components of the malware on the victim’s system because, at face value, the tools are recognised as authorized programmes and pose no obvious threat. Security products need to distinguish the context in which the legitimate software is being used, which is no easy feat for legacy antivirus software.

Protection against crypto-criminals

Despite the fact that it’s one of the most targeted areas of the economy, ransoms are rarely paid by the financial sector, ostensibly to avoid setting a precedent and incentivizing further attacks. However, innovations like cryptocurrency and crypto wallets create new opportunities for malicious intent and – as they continue to grow in popularity even with valuations plummeting as of late – threat actors will continue to pursue financial reward with increasingly complex and stealthy crypto-stealers. Once in your system, it is the ability to evade identification, hide amongst legitimate programmes and thwart detection that make ransomware programmes like BHunt so potentially costly and dangerous.

Threat actors are finding new and innovative ways to pursue this lucrative and relatively new financial category with increasingly complex and stealthy crypto-stealers, going straight for the victims' #crypto wallets. #cybersecurity #respectdataClick to Tweet

Protection requires a more proactive stance than offered by legacy anti-virus software and EDR solutions on their own. It needs to stop the bad guys at the door by preventing them delivering any malicious executables. They won’t even have time to don their master criminal disguise.