CryptBot, an information-stealing malware first detected in 2019, has resurfaced with advanced tactics to target unsuspecting victims. In its latest campaign, detailed in a report by Intrinsec, CryptBot exploits search engine optimization (SEO) and partnerships with other malware operators to propagate its reach.
CryptBot primarily spreads through websites offering fake cracked software. Intrinsec notes, “The websites offering those software tend to be quite good in Search Engine Optimization as they often appear in the first results of most browsers when looking for cracked programs“. These sites distribute malware-laden software disguised as popular programs like Wondershare Filmora and Windows Professional.
In a further alarming trend, CryptBot is now being deployed through PDF documents masquerading as instructions for downloading software. These PDFs instruct users to disable antivirus software and follow malicious links, making them vulnerable to infection.
CryptBot’s resurgence is bolstered by its integration with other malware operators. The report highlights its partnership with PrivateLoader, a “Pay-Per-Install” service known for deploying CryptBot and other malicious payloads. Additionally, CryptBot is distributed via the Amadey cluster, a malware infrastructure hosted on a Seychelles-based autonomous system.
“Both CryptBot and PrivateLoader continue to use bulletproof hosting solutions such as the infamous Aeza International Ltd and Karina Rashkovska to host their phishing pages, command-and-control panels, and malware payloads overall,” the report states. These hosting services provide the infrastructure to host phishing pages, command-and-control (C2) servers, and malware payloads, enabling threat actors to evade takedowns.
Once installed, CryptBot employs sophisticated persistence mechanisms. The malware copies itself to system directories and schedules tasks to launch upon system startup. It also creates unique mutexes to avoid reinfecting the same system. After collecting browser credentials and other sensitive data, CryptBot exfiltrates this information to attacker-controlled C2 servers.
In its latest campaign, CryptBot operators use Matomo, a web analytics tool, to track the effectiveness of their campaigns. “This tracking script…provides detailed reports on which websites generate the most traffic and with which software specifically,” the report elaborates.
Despite significant efforts by companies like Google to dismantle CryptBot’s infrastructure, including a successful legal takedown in 2023, the malware remains a persistent threat. The report concludes, “This also shows that despite having companies with major strike power like Google engaging in legal procedures, those threats can still prosper and expand.”
