The CryptBot infostealer has been tweaked by its developers and can now distribute itself through websites that offer pirated software. Its operators constantly modify the info stealer’s command-and-control server, dropper sites, and malware based on recent reports.
The CryptBot threat actors utilise SEO to rank their sites and portray them at the top of Google search results in an attempt of increasing their infection rate. Security researchers discovered that the threat actors use custom domains and websites hosted on Amazon AWS and have various baits to attract unaware users to access their malicious sites.
The unaware users then face several redirections after accessing the sites and end up at a delivery page, which might be on a legitimate site compromised by threat actors for “search engine optimisation poisoning” attacks.
The new CryptBot variant has several technical changes in its latest version.
The researchers said that the recent return samples of CryptBot revealed that the latest version is lighter, more compact, and more elusive in evading security detections. They added that the latest version has an anti-VM CPU core count check-in.
The developers of the infostealer want to simplify its primary function; hence, they deleted the anti-sandbox routine, repeating C2 connections, and two exfiltration folders where the malware keeps gathering information.
Furthermore, the code shows that when sending files, manually adding the transmitted file data to the header is now changed by the actors to utilise a simple API and change a user-agent value.
CryptBot’s operators also deleted the screenshot feature and the option of collecting data on txt files on the desktop, so they could quickly notice the deleted features during the exfiltration stage.
Lastly, the new variant has targeted improvements for better efficiency as it searches all file paths and user data and hacks into them regardless of the Chrome version.
CryptBot exclusively targets those searching for fake software on malicious websites. Therefore, downloading pirated software from compromised sites is highly discouraged by experts. Nonetheless, users can implement a reliable anti-malware solution to be protected from such threats.
