![]() ![]() The malicious BAT script now in use contains a higher level of obfuscation, using encrypted variables to help impede analysis by threat researchers. The obfuscation methods used in this version also differ from older variants of CryptBot. The current version deletes only gathered data after successfully performing data exfiltration, rather than its own files. ![]() ![]() The latest version of CryptBot also does not steal screenshots of the victim’s desktop, nor does it perform self-deletion of the malicious files used. One of the features removed is the anti-sandbox capabilities used in previous versions. Overall, it appears that the threat actor has decided to trim the file, so it only includes the core functionality necessary for successful data exfiltration. The very latest version of CryptBot was first spotted in the wild in early 2022, with a few notable differences from previous variations. The script performs a scan against a task list referencing two antivirus (AV) products, “BullGuardCore” and “Panda Cloud Antivirus.” If the AV products are present, the malware will perform a “sleep” function to delay execution and aid in bypassing detection.įigure 8 - C2 addresses and a selection of targeted directories Latest Variant The structure and contents of the BAT script, such as obfuscated variables, can be seen in Figure 4 below. This tool is intended for use in automating services via scripts however, it has frequently been abused by many different malware families. WMV extensions.Ī copy of “AutoITv3.exe” is also dropped to the folder as “Raccontero.exe.” This tool is an interpreter that is part of AutoIT, which is a freeware programming language for Windows-based devices. Different variants analyzed have also been observed using. The file extensions used vary, depending on the version of CryptBot downloaded by the victim. GIF extension to masquerade as image files. However, these files are in fact malicious scripts using the. “Raccontero.exe” – An AutoIT v3 executable compilerĪs seen in Figure 3, two of these files are displayed as.“Carne.gif” – An obfuscated AutoIT script.“aeFdOLFszTz.dll” – A legitimate copy of Microsoft® Windows® “ntdll.dll”.This folder contains four files that are used to carry out the next stage of the attack: Figure 3 - Folder placed into user’s Temp directory post execution ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |