Data Stealing Cryptbot Malware Sneaks Onto Machines As Fake Windows Activator Tool
That leaves the computer wide open to infection with malware such as Cryptbot. This nasty little piece of malware, according to Red Canary, "harms organizations by stealing credentials and other sensitive information from affected systems". Most of that private data is taken from cryptocurrency-related software.
Most of the software that Cryptbot steals information from are cryptocurrency wallets. Here is a list of applications known to be at risk:
- Atomic cryptocurrency wallet
- Ledger Live cryptocurrency wallet
- Waves Client and Exchange cryptocurrency applications
- Coinomi cryptocurrency wallet
- Jaxx Liberty cryptocurrency wallet
- Electron Cash cryptocurrency wallet
- Electrum cryptocurrency wallet
- Exodus cryptocurrency wallet
- Monero cryptocurrency wallet
- MultiBitHD cryptocurrency wallet
Red Canary says Cryptbot also tries to get information from web browsers, including Google Chrome, Mozilla Firefox, Opera, Brave, and Vivaldi. Additionally, Cryptbot attempts to siphon information from the CCleaner system management tool.
Detecting a Cryptbot infection is difficult, as the malware uses various methods to mask itself. Attackers sometimes use the CypherIT AutoIT crypter, for example, to obfuscate Cryptbot. Red Canary outlines two possible strategies for locating the malware.
You can search your hard drive for binaries containing AutoIT metadata, but lacking “AutoIT” in the file name. You can also search for PowerShell or
cmd.exe deletion commands containing
rd /s /q,
del /f /q together.