Cryptbot Stealer - Update on Rules

Cryptbot Stealer has been switching its behavior in the past weeks from uploading logs to C2 on /gate.php to /zip.php. Maybe there are more changes.
I believe this change has been completed and theres no rule detection for Cryptbot as for now, so old rules must need to be updated.

OLD DETONATION
(Analysis https://kickasscracks.com Malicious activity - Interactive analysis ANY.RUN)

Rules related to cryptbot fired

  • ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M1
  • ET MALWARE Win32/Cryptbot V2 Data Exfiltration Attempt
  • ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M2

NEW DETONATION
(Analysis https://abbaspc.net Malicious activity - Interactive analysis ANY.RUN)

No rules fired, 0 detection on Cryptbot.

Thanks in advance.

1 Like

Thanks for the share, g0njxa. I’ve added a new rule to detect these new Cryptbot variants. It should appear in the release today. If you find new variants, please let us know so we can continue to add detection.

:hotdog:

3 Likes

Believe this was 2046886, thanks!

Hello!

New variants have been found in the wild, curently without proper rule detection.

Detonation: Analysis https://iplogger.com/2lEuz3 Malicious activity - Interactive analysis ANY.RUN

C2 - http://rzninet19ht.top/v1/upload.php

Would be interesting to add detection to these new variants of Cryptbot

3 Likes

hey @g0njxa -

Thanks for the tip! We got the following signatures into today’s release that should cover the gap.

2054347 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (analforeverlove .top)
2054348 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (rzfift15ht .top)
2054349 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (rzeight18pt .top)
2054350 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
2054351 - ET MALWARE Observed Cryptbot Domain (analforeverlove .top in TLS SNI)
2054352 - ET MALWARE Observed Cryptbot Domain (rzfift15ht .top in TLS SNI)
2054353 - ET MALWARE Observed Cryptbot Domain (rzeight18pt .top in TLS SNI)

I’m also working on some signatures to detect the DGA pattern that they are using right now and should have that out on Monday,

Thanks and have a great weekend! :sunglasses:
Isaac

2 Likes