A new version of the CryptBot info stealer was seen in distribution via multiple websites that offer free downloads of cracks for games and pro-grade software.
CryptBot is a Windows malware that steals information from infected devices, including saved browser credentials, cookies, browser history, cryptocurrency wallets, credit cards, and files.
The latest version features new capabilities and optimizations, while the malware authors have also deleted several older functions to make their tool leaner and more efficient.
Security analysts at Ahn Lab reported that the threat actors are constantly refreshing their C2, dropper sites, and the malware itself, so CryptBot is currently one of the most shifting malicious operations.
Using search results for delivery
According to the Ahn Lab report, the CryptBot threat actors distribute malware through websites pretending to offer software cracks, key generators, or other utilities.
To gain wide visibility, the threat actors utilize search engine optimization to rank the malware distribution sites at the top of Google search results, providing a stable stream of prospective victims.
According to screenshots shared of the malware distribution sites, the threat actors use both custom domains or websites hosted on Amazon AWS.