40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger

We found the Bitbucket repository via a malicious AutoHotkey downloader^[1]. The AutoHotkey script is located in the PE resources with the RCDATA resource type. We used Resource Hacker to access the script (see image below).

The downloader checks IP and location information of the infected system via http://ip-api.com/line/ and puts the result into %TEMP%/ip_.txt. Then it calls two shortened URLs at https://iplogger.org. This URL shortener service provides statistics and location tracking for the shortened links. The site's content is downloaded to %TEMP%/loger.txt and %TEMP%/loger2.txt.

It proceeds to check the country code in ip_.txt and will download PCBoosterSetup.exe^[8] for the following country codes: TR, FR, US, DE, GB, HR, HU, RO, PL, IT, PT, ES, CA, DK, AT, NL, AU, AR, NP, SE, BE, NZ, SK, SO, GR, BG

The Bitbucket repository "new" by the user Lewis Shields contains no source code but three binary files in the downloads section. Two of which are downloaded by the AutohotKey sample^[1].

The repository exists since 16. January 2020. The files are renewed every few hours, the intervals are different for each file. We observed renewal of 1.exe and 4.exe approximately every 5 hours, and renewal of 9.exe approximately once a day.

That means there are more downloaders that access this repository. We downloaded two sets of samples and identified the malware families.

We contacted technical support of Atlassian on Friday afternoon and notified them about the malware hosting repository. Reporting took a bit of effort because it required registration and the forms weren't suited for security issues. On Monday morning an employee at Atlassian contacted me via Twitter because they had seen our tweet. It was due to said employee that the repository was taken down on Monday, 3. February 2020, 67 hours after our report. Given the approximate download rates, more than 355,100 downloads were done during that time frame.

All Lewis Shields' samples are packed with Themida. We identified the samples^[2][3] named "1.exe" as Buer loader with NuclearBot aka TinyNuke. It creates a file in  C:\ProgramData\UBlockPlugin\plugin.exe and executes it. The process tree of VMRay shows process injection via CreateRemoteThread from plugin.exe into secinit.exe.

NuclearBot is classified as banking trojan. According to Malpedia criminals put up the malware for sale for 25000 USD in 2016. Its source code was published on Github in the meantime and the author of NuclearBot has been arrested in 2019.

The samples named "9.exe"^[6][7] are infostealer which were identified as CryptBot by @benkow_@StopMalvertisin and @James_inthe_box in this Twitter thread. CryptBot made news on Bleepingcomputer in December 2019 for being installed via a fake VPN site. Among others it steals credentials for browsers, crypto currency wallets, browser cookies, and creates screenshots of the infected system. @benkow_ also told us that CryptBot provides access to a statistics panel for guests to check infected systems worldwide (see image below).

Using that panel we can check stats for certain countries during the time frame the repository was still up. Below is the top 15.

The sum of entries in that time frime amounts to 41,620, which is 627 entries per hour. The download rate of CryptBot samples in LewisShields' repository on the other hand was about 1,800 per hour. So we know that at least two thirds of those downloads do not lead to an infection. It is very likely that other CryptBot hosts are used, which makes the rate of downloads not leading to infection higher than that. Those non-infective downloads may stem from automated analysis systems or they are due to Antivirus products which didn't stop the downloader but the CryptoBot sample from executing.