Recently, WatchTower observed the CryptBot info stealer spreading through cracked software. ● CryptBot is a piece of malware for Microsoft Windows which steals information from infected devices, including saved browser credentials, cookies, browser history, cryptocurrency wallets, credit cards, and files. Technical Details When a user tries to download cracked software, this allows the malware to start an infection chain. When a user clicks “download” on the malicious website, it redirects the user several times before loading the download page. The downloaded file is a password-protected ZIP archive containing CryptBot.
Shown above, is the CryptBot. After extraction, it is a huge binary (>300MB). This large size is due to a large overlay for hash busting, and is also designed to evade antivirus products, which often fail to scan large files. In the screenshot below, you can see the strings detailing the malware’s stealing capabilities, such as cryptocurrency wallet information and browser information.