New Variant of CryptBot Targets All Chrome Versions

The recent CryptBot campaign

• On the basis of shared screenshots of distribution sites, it was found that the attackers are using custom domains or websites hosted on Amazon AWS.
• The malicious websites have a wide variety of lures to attract users onto the distribution sites. 
• The visitors face multiple redirections and end up at a delivery page, which could be on a legitimate site compromised for SEO poisoning attacks.

Technical changes in the new version

• The authors want to simplify the trojan’s functionality, and hence, they removed the anti-sandbox routine, redundant second C2 connection, and two exfiltration folders where stolen information is stored.
• The code shows that when sending files, the tactic of manually adding the sent file data to the header is now changed to using a simple API, along with a change in a user-agent value.
• The previous version called the function two times to send each to a different C2. However, the new version has a hard-coded C2 URL in the function.
• Additionally, CryptBot’s authors removed the screenshot function and the option of gathering data on TXT files on the desktop, which could be easily noticed during exfiltration.
• The new strain has made targeted additions and improvements for better effectiveness. Now, it searches all file paths, user data anywhere, and infiltrates them regardless of the Chrome version.

Conclusion