New Malware “ImBetter” Targets Cryptocurrency Users

New Malware "ImBetter" Targets Cryptocurrency Users

VTA-00438 – New Malware “ImBetter” Targets Cryptocurrency Users

Researchers at CRIL have recently discovered fraudulent websites that mimic popular crypto-wallets and file converters, with a specific focus on Windows users. These deceptive sites deceive users into downloading the newly discovered “ImBetter Stealer” malware, which is designed to steal users’ confidential information. This malware can access users’ sensitive information stored on the user’s browser, including saved login credentials, cookies, user profiles, and cryptocurrency wallets. Additionally, the malicious software captures system screenshots and sends them to the attackers. Clicking certain controls on the website initiates the infection process, which contains the “ImBetter Stealer” malware, identified by its Program Database (PDB) filename of “ImBetter.pdb.”

ImBetter Stealer is a 32-bit executable file with SHA256 and a graphical user interface. When executed, it identifies the system’s language and region using the Language Code Identifier (LCID) and captures the screen. It then creates a socket connection to a command and control (C&C) IP address and sends various system information, such as hardware ID, GPU details, amount of RAM installed on the system, CPU details, screen details, and name of the executable file, to the C&C server in encoded Base64 format. The malware also searches for Chromium-based browsers installed on the system to harvest sensitive information like login credentials, cookies, user profiles, and cryptocurrency wallet extensions stored in the AppData/Local folder path.

ImBetter Stealer is a dangerous type of information-stealing malware that can grant cybercriminals unauthorized access to victims’ crypto wallets or online accounts, resulting in the theft of valuable digital assets or personal information. Therefore, it is crucial to stay vigilant when downloading files or visiting websites and to ensure that antivirus software is up-to-date.


Attack Surfaces:
Email, Web Application, Web Browser

Collection, Command and Control, Credential Access, Defense Evasion, Discovery, Execution

T1204 – User Execution
T1027 – Obfuscated Files or Information
T1528 – Steal Application Access Token
T1010 – Application Window Discovery
T1083 – File and Directory Discovery  
T1005 – Data from Local System
T1071 – Application Layer Protocol

Indicator of Compromise:

SuperPRO’s Threat Countermeasures Procedures: 
1.Avoid downloading pirated software from warez/torrent websites as they may contain malware, including information stealers like ImBetter.
2.Use strong and unique passwords, and enable multi-factor authentication wherever possible to enhance security.
3.Enable automatic software updates on all connected devices to protect against known vulnerabilities.
4.Install reputable antivirus and internet security software on all connected devices, including computers, laptops, and mobile phones.
5.Be cautious when opening links or email attachments from unknown sources, and verify their authenticity before downloading or opening them.
6.Educate employees on how to protect themselves from potential threats such as phishing and untrusted URLs to prevent data breaches.
7.Block URLs commonly associated with malware distribution, such as Torrent and Warez websites.
8.Monitor network traffic to detect and block data exfiltration by malware or threat actors (TAs).
9.Implement Data Loss Prevention (DLP) solutions on employee systems to prevent the unauthorized transfer of sensitive information.

Contributed by:  Varrumen

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>