An advanced form of cryptocurrency-targeting malware shared through pirated software and games downloaded from torrent sites poses multiple threats to victims.
In a report Wednesday, researchers at Slovakian cybersecurity firm ESET said they had found malicious code within the installer program for media files that contains a cryptocurrency mining bot.
Once downloaded, the hidden app starts its mining bot to hijack computer power and mine monero, as well as ether if a GPU card is detected.
However, the malware has evolved in its two years of existence to possess other tricks that are more concerning to users of cryptocurrency.
Dubbed "KryptoCibule" – a combination of the Czech and Slovak words for "cryptocurrency" and "onion" – the malware can also change a wallet address to one linked to the hacker when pasted from the clipboard, potentially diverting funds sent to the victim.
Further, it will hunt for, and steal, cryptocurrency passwords, private keys or key phrases stored on the host machine's hard drive.
The malware is spread by users sharing the affected media files on peer-to-peer file-sharing networks.
It also updates itself using BitTorrent, which was acquired by Tron in mid-2018, the researchers said.
ESET said KryptoCibule had stolen roughly $1,800 in bitcoin and ether by changing victims' wallet addresses.
They were unable to determine how much the hacker stole through the mining bot or from stealing passwords.
KryptoCibule likely started operation in late 2018 but has remained hidden till now thanks to being designed to evade detection.
KryptoCibules hides in files that work normally, so victims are less likely to suspect anything amiss. It also actively watches for, and hides from, antivirus tools such as Avast.
In addition, it contains a command line to the Tor browser that encrypts communications and makes it impossible to trace the mining server behind KryptoCibule.
KryptoCibule also monitors the computer's battery so it doesn't consume too much power and thus get noticed.
If the battery falls below 30%, KryptoCibule shuts off the GPU miner and runs its monero miner at a much lower capacity. The whole program shuts down should battery go under 10%.
Despite its sophistication, ESET said the bot had so far only been downloaded by several hundred computers, mostly based in Czechia and Slovakia.