Newly Discovered Malware Has Arsenal of Tricks to Help It Steal Crypto

shutterstock_667595752
2 September 2020

An advanced form of cryptocurrency-targeting malware shared through pirated software and games downloaded from torrent sites poses multiple threats to victims.

  • In a report Wednesday, researchers at Slovakian cybersecurity firm ESET said they had found malicious code within the installer program for media files that contains a cryptocurrency mining bot.
  • Once downloaded, the hidden app starts its mining bot to hijack computer power and mine monero, as well as ether if a GPU card is detected.
  • However, the malware has evolved in its two years of existence to possess other tricks that are more concerning to users of cryptocurrency.
  • Dubbed "KryptoCibule" – a combination of the Czech and Slovak words for "cryptocurrency" and "onion" – the malware can also change a wallet address to one linked to the hacker when pasted from the clipboard, potentially diverting funds sent to the victim.
  • Further, it will hunt for, and steal, cryptocurrency passwords, private keys or key phrases stored on the host machine's hard drive.
  • The malware is spread by users sharing the affected media files on peer-to-peer file-sharing networks.
  • It also updates itself using BitTorrent, which was acquired by Tron in mid-2018, the researchers said.
  • ESET said KryptoCibule had stolen roughly $1,800 in bitcoin and ether by changing victims' wallet addresses.
  • They were unable to determine how much the hacker stole through the mining bot or from stealing passwords.
https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/
KryptoCibule evolution
Source: ESET
  • KryptoCibule likely started operation in late 2018 but has remained hidden till now thanks to being designed to evade detection.
  • KryptoCibules hides in files that work normally, so victims are less likely to suspect anything amiss. It also actively watches for, and hides from, antivirus tools such as Avast.
  • In addition, it contains a command line to the Tor browser that encrypts communications and makes it impossible to trace the mining server behind KryptoCibule.
  • KryptoCibule also monitors the computer's battery so it doesn't consume too much power and thus get noticed.
  • If the battery falls below 30%, KryptoCibule shuts off the GPU miner and runs its monero miner at a much lower capacity. The whole program shuts down should battery go under 10%.
  • Despite its sophistication, ESET said the bot had so far only been downloaded by several hundred computers, mostly based in Czechia and Slovakia.

See also: New Malware Spotted in the Wild That Puts Cryptocurrency Wallets at Risk