As cryptocurrencies continue to gain popularity, threat actors will find new and innovative ways to pursue this financial incentive with increasingly complex and stealthy crypto-stealers. This fast-evolving part of the finance industry is certainly keeping cybersecurity defenders on their toes!

Since creation of the first cryptocurrency, Bitcoin, in 2009, the rocketing popularity of this new medium of exchange has spurred a gold-rush mentality among malware actors. There are now more than 12,000 cryptocurrencies (March 2022) with the market more than doubling from the start of 2021 to the same point a year later. At the end of 2021, there were almost 1,000 new currencies being launched each month, creating phenomenal growth, though it’s generally reported that the top 20 currencies account for 90% of the market.

At the same time, crypto as a form of payment has become a backbone of the ransomware business.

It’s estimated that Bitcoin accounts for around 98% of ransomware payments. Last year, for example, ransomware gang REvil demanded payment of £50.5 million in Bitcoin from IT firm Kaseya, in return for a decryption key to unlock file access. The attack affected US financial institutions, including American Express and Chase, among the hundreds of Kaseya customers impacted. Though the ransom was never paid, it underlined how popular cryptocurrency is among cybercriminals – largely because it offers a high degree of anonymity, making activity hard to track. Without traditional banking structures and regulations, accounts are simple to set up and transactions quick to process.

Now, some criminals are taking a more direct approach and going straight for stealing the contents of victims’ crypto wallets.

Beware of the Scavenger

BHunt Scavenger is among the latest threats targeting cryptocurrency holdings. It scavenges systems for access to cryptocurrency accounts, while also working to hide its activities on the system and to slow analysis and detection in a variety of other ways.

While BHunt goes about its business harvesting currency from victims' crypto wallets, it also attempts to steal browser passwords. This is likely intended to help find login credentials stored there for online crypto accounts, along with online banking or social media accounts that could be used for further financial gains.

In certain situations, BHunt can also deploy a cryptominer on the victim’s device – a practice known as ‘cryptojacking’ that uses the infected computer’s processing power to mine for cryptocurrency – or monitor their clipboard for security passphrases to gain access to other online accounts. With this information they can permanently lock users out and steal investments.

Catching a master criminal

BHunt is a master of disguise. Once it has gained access, it tries to slow analysis and evade detection by obfuscating its execution files using commercial ‘binary packers’ (which change the code by compressing or encrypting it) or splitting its functionality across multiple files. Both techniques aim to make it less readily identifiable by programmes looking to detect cyberthreats.

BHunt also employs a devious strategy to use legitimate software tools for nefarious purposes. This makes it extremely difficult to detect components of the malware on the victim’s system because, at face value, the tools are recognised as authorised programmes and pose no obvious threat. Security products need to distinguish the context in which the legitimate software is being used, which is no easy feat for legacy antivirus software.

Protection against crypto-criminals

The financial sector is among the most targeted by ransomware criminals, with the average cost of remediation estimated around £1.5M. Ransoms are rarely paid by the financial sector, ostensibly to avoid setting a precedent. However, innovations like cryptocurrency and crypto wallets create new opportunities for malicious intent and - as they continue to grow in popularity – threat actors will pursue financial reward with increasingly complex and stealthy crypto-stealers. Once in your system, it is the ability to evade identification, hide amongst legitimate programmes and thwart detection that make ransomware programmes like BHunt so potentially costly and dangerous.

Protection requires a more proactive stance than offered by legacy anti-virus software. It needs to stop the bad guys at the door by preventing them delivering any malicious executables. They won’t even have time to don their master criminal disguise.