Home Malware Programs Malware B3hpy

B3hpy

Posted: July 14, 2020

B3hpy is a python-based piece of malware that targets Windows devices and focuses on stealing sensitive data from them. The first traces of the B3hpy campaign were spotted in the middle of 2019 when the malware was spread via phishing emails that targeted users in Middle Eastern countries. The B3hpy malware is believed to be linked to the BadPatch campaign that has been active in the Middle East since 2017.

Malicious 'SCR' Files Deliver the B3hpy Trojan via Email

The malicious email messages used to deliver the B3hpy malware contain a file attachment that uses the '.scr' file extension – typically, this extension is reserved for old 'screensaver' files, but it can also be modified to work as a self-extracting archive. The criminals have opted to use the latter feature, and the execution of the '.scr' file will result in two new files being created on the victim's computer – a malicious file 'd.exe' and a decoy document called 's.docx.' The document will be opened automatically to present the user with a piece of content that would make them think that there is nothing shady about the file – however, the 's.exe' will also be executed in the background, and it will deploy the B3hpy implant.

Once active, B3hpy sends some information to the command and control server – operating system version, hardware, MAC address, and a list of files or folders found in the directories 'Program Files,' 'Program Files (x86),' 'Microsoft.NET\Framework,' and 'Microsoft.NET\Framework64.' If this task is completed successfully, the B3hpy will proceed to request additional malware implants from the control server.

B3hpy Excels at Data Theft

The B3hpy is meant to steal files that use the extensions TXT, DOC, DOCX, XLS, XLSX, PDF, RAR, and MDB. It then extracts stolen files by sending an email to b3h@emails.pal4u.net – an address that was previously involved in other BadPatch campaigns. Another component of the B3hpy implant is designed to steal saved passwords from Google Chrome. Finally, B3hpy can also scan attached USB drives for files using specific extensions, create copies of them, and then send them to the attacker's email.

The B3hpy attacks are concentrated in Palestine, but some of B3hpy's activity was also detected in Brazil, India, Colombia, and the United States. Despite being far more advanced than ordinary malware, the B3hpy implant is still detectable and stoppable with the use of reputable antivirus software.

Loading...