Beware the Crypto Stealers – CPO Magazine
Forget the market sales, hackers are the real threat crypto fans should be watching out for.
While cryptocurrencies have gone from red-hot to full-blown meltdown in recent months, with both private and institutional investors losing significant sums amid the selloff, threat actors show no signs of shying away from finding new and innovative ways to pursue this lucrative and relatively new finance category with increasingly complex and stealthy crypto-thieves.
In fact, just this past month, the US Federal Bureau of Investigation (FBI) warned that criminals have created fraudulent apps impersonating genuine financial service brands to trick investors into parting with $42.7 million in cryptocurrency over a period of about six months.
This rapidly evolving part of the financial industry certainly keeps cybersecurity defenders on their toes and has become one of the most targeted areas by ransomware criminals, with the average cost of remediation estimated at around 1.8 million.
Bitcoin’s creation in 2009 spurred a gold rush mentality among both investors and malware actors who saw it as an unloseable get-rich-quick lottery ticket. A dozen years later, there are now more than 12,000 cryptocurrencies (March 2022) and the market more than doubled from the start of 2021 to the same point a year later. By the end of 2021, nearly 1,000 new currencies were being launched every month, with around 300 million people holding crypto assets. Even after the June sale, there were still $1.1 trillion worth of digital assets in circulation; not bad for an industry that has earned many critics and skeptics.
Amid the sector’s phenomenal growth, crypto as a form of payment has become one of the main backbones of the ransomware business.
It is estimated that Bitcoin accounts for around 98% of ransom payments. Last year, for example, the REvil ransomware gang demanded the payment of US$60 million in Bitcoin from the IT firm Kaseya, in exchange for a decryption key to unlock file access. The attack hit US financial institutions, including American Express and Chase, among the hundreds of Kaseya customers affected. Although the ransom was never paid, it underscored how popular cryptocurrency is with cybercriminals – mainly because it offers a high degree of anonymity, making activity difficult to trace. Without traditional banking structures and regulations, accounts are easy to set up and transactions are quick to process.
Now, some criminals are taking a more direct approach and going straight out to steal the contents of victims’ crypto wallets.
Beware of the Scavenger
BHunt Scavenger is among the latest threats targeting cryptocurrency holdings. It removes systems for accessing cryptocurrency accounts, while working to hide the activities on the system and delay analysis and detection in a number of other ways.
While BHunt conducts its business of harvesting currency from victims’ crypto wallets, it also attempts to steal browser passwords. This is probably meant to help find login information stored there for online crypto accounts, along with online banking or social media accounts that can be used for further financial gains.
In certain situations, BHunt can also deploy a cryptominer on the victim’s device – a practice known as ‘cryptojacking’ that uses the infected computer’s processing power to mine for cryptocurrency – or monitor their clipboard for security passwords to access other online accounts. With this information, they can permanently block users and steal investments.
Catching a master criminal
BHunt is a master of disguise. Once accessed, it tries to slow analysis and avoid detection by obfuscating the executable files using commercial “binary packers” (which modify the code by compressing or encrypting it) or splitting the functionality across multiple files. Both techniques aim to make it less easily identifiable by programs looking to detect cyber threats.
BHunt also uses a cunning strategy to use legitimate software tools for malicious purposes. This makes it extremely difficult to detect malware components on the victim’s system because the tools at face value are recognized as authorized programs and pose no obvious threat. Security products must distinguish between the context in which the legitimate software is used, which is not easy for legacy antivirus software.
Protection against cryptocriminals
Despite being one of the most targeted areas of the economy, ransoms are rarely paid by the financial sector, apparently to avoid setting a precedent and encouraging further attacks. However, innovations such as cryptocurrency and crypto-wallets create new opportunities for malicious intent, and – as they continue to grow in popularity even with devaluations that have plunged recently – threat actors will continue to seek financial rewards with increasingly complex and insidious crypto-thieves . Once inside your system, it’s the ability to evade identification, hide among legitimate programs, and prevent detection that makes ransomware like BHunt so potentially costly and dangerous.
Protection requires a more proactive attitude than that offered by legacy antivirus software and EDR solutions alone. It must stop the bad guys at the door by preventing them from delivering malicious executables. They won’t even have time to put on their most criminal disguise.
