40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger

02/06/2020
G DATA Blog

Public source code repository at Bitbucket.org was as abused to host CryptBot, Buer loader with NuclearBot and Cryptominer.

AutoHotkey Downloader

We found the Bitbucket repository via a malicious AutoHotkey downloader[1]. The AutoHotkey script is located in the PE resources with the RCDATA resource type. We used Resource Hacker to access the script (see image below).

The downloader checks IP and location information of the infected system via http://ip-api.com/line/ and puts the result into %TEMP%/ip_.txt. Then it calls two shortened URLs at https://iplogger.org. This URL shortener service provides statistics and location tracking for the shortened links. The site's content is downloaded to %TEMP%/loger.txt and %TEMP%/loger2.txt.

It proceeds to check the country code in ip_.txt and will download PCBoosterSetup.exe[8] for the following country codes: TR, FR, US, DE, GB, HR, HU, RO, PL, IT, PT, ES, CA, DK, AT, NL, AU, AR, NP, SE, BE, NZ, SK, SO, GR, BG

PCBoosterSetup.exe is an installer for PC Booster by Energizer Softech. This software is not malicious, but potentially unwanted. The AutohotKey downloader was submitted by the name setupres.exe to VirusTotal, so it is probably advertised and distributed as PC Booster installer making this a classic trojan horse.

The trojan downloads and executes three files from a public Bitbucket.org repository to %APPDATA%: 1.exe, 3.exe, and 4.exe. Only two of those files were present on Friday evening, 31. January 2020, when we first analysed the trojan.

Lewis Shields' Bitbucket Repository

The Bitbucket repository "new" by the user Lewis Shields contains no source code but three binary files in the downloads section. Two of which are downloaded by the AutohotKey sample[1].

The repository exists since 16. January 2020. The files are renewed every few hours, the intervals are different for each file. We observed renewal of 1.exe and 4.exe approximately every 5 hours, and renewal of 9.exe approximately once a day.

FilenameApproximate download rate (observed from 31.Jan.2020 to 3.Feb.2020)Malware family
1.exe800 downloads per hourBuer loader and NuclearBot
4.exe2,700 downloads per hourCoinminer loader
9.exe1,800 downloads per hourCryptBot

 

That means there are more downloaders that access this repository. We downloaded two sets of samples and identified the malware families.

We contacted technical support of Atlassian on Friday afternoon and notified them about the malware hosting repository. Reporting took a bit of effort because it required registration and the forms weren't suited for security issues. On Monday morning an employee at Atlassian contacted me via Twitter because they had seen our tweet. It was due to said employee that the repository was taken down on Monday, 3. February 2020, 67 hours after our report. Given the approximate download rates, more than 355,100 downloads were done during that time frame.

Buer Shipping NuclearBot

All Lewis Shields' samples are packed with Themida. We identified the samples[2][3] named "1.exe" as Buer loader with NuclearBot aka TinyNuke. It creates a file in  C:\ProgramData\UBlockPlugin\plugin.exe and executes it. The process tree of VMRay shows process injection via CreateRemoteThread from plugin.exe into secinit.exe.

NuclearBot is classified as banking trojan. According to Malpedia criminals put up the malware for sale for 25000 USD in 2016. Its source code was published on Github in the meantime and the author of NuclearBot has been arrested in 2019.

CryptBot Infostealer Infects Thousands

The samples named "9.exe"[6][7] are infostealer which were identified as CryptBot by @benkow_@StopMalvertisin and @James_inthe_box in this Twitter thread. CryptBot made news on Bleepingcomputer in December 2019 for being installed via a fake VPN site. Among others it steals credentials for browsers, crypto currency wallets, browser cookies, and creates screenshots of the infected system. @benkow_ also told us that CryptBot provides access to a statistics panel for guests to check infected systems worldwide (see image below).

Using that panel we can check stats for certain countries during the time frame the repository was still up. Below is the top 15.

NrCountryNumber of infected systems
1IN5112
2ID2747
3BR2216
4PK1837
5US1325
6PH1325
7TR1277
8EG1239
9VN938
10IT888
11TH873
12DE846
13FR834
14MX822
15KR759

The sum of entries in that time frime amounts to 41,620, which is 627 entries per hour. The download rate of CryptBot samples in LewisShields' repository on the other hand was about 1,800 per hour. So we know that at least two thirds of those downloads do not lead to an infection. It is very likely that other CryptBot hosts are used, which makes the rate of downloads not leading to infection higher than that. Those non-infective downloads may stem from automated analysis systems or they are due to Antivirus products which didn't stop the downloader but the CryptoBot sample from executing.

Reaction Times are Crucial

Given the number of ca 355,100 malware downloads for the time frame from reporting to take down of the repository, we can see that early reaction times are crucial. This includes easy access with tailored forms to contact support for security related issues. It also includes having security savvy employees to recognize the importance of the issue and respond to the situation in time. In this case it was due to Twitter and an observant employee that the malware hosting repo was taken down 67 hours after report.

Sample Hashes

SampleFilenameSHA256
[1] Autohotkey Downloadersetupres.exe7d1c47f69805ec4009c0620dadbddeff7a1eaa98eb5a296fbc6ba4cd479c706b
[2] Buer, NuclearBot1.exe6e713cf82173de60a69dc7ed84d3b006aeb35e8058553155eee674452e1e2017
[3] Buer, NuclearBot1.exeb68ee1ba36aa100a393710bc06142a742d7e59d62b8204ec4991625467c189b2
[4] Coinminer loader4.exec215fdd20f2cda8177c79e7b4b5f0d97ed5dd858e3376f5746dfc99c475329b1
[5] Coinminer loader4.exefd60c32090c2171e6fa227e2bc29f72a1c28555f62ea2f01a334fa72af87ab00
[6] CryptBot9.exe3c3bd6438dbaa3fd9727f0bf699c5e61f02de1e8896d7e87a5d6436b2d844d81
[7] CryptBot9.exe2f2db989204f89ae8d8512ff0168857a7c613c4a26d0817ffd93a552f1ce96bc
[8] PC Booster Installer by  Energizer SoftechPCBoosterSetup.exe636a31559c9a532a8ada119380129f9362f6c68b3456228766b3672ae3d676d8

Karsten Hahn
Malware Analyst