A new malware family has been discovered by threat researchers that is fully focused on acquiring the maximum amount of cryptocurrency possible from its victims. For this purpose, it steals wallets, hijacks transactions, and starts mining on infected machines.
The malware, KryptoCibule has also managed to stay under the radar for almost two years, extending its functionality with each new version.
According to the analysis released by researchers, to communicate with its command and control (C2) servers, KryptoCibule relies heavily on the Tor network.
It spreads via malicious torrents in archives pretending to installers for pirated versions of popular software and games. As the executable is launched, the expected routine for the cracked product runs in the foreground while malware installation starts in the background.
This process has greatly contributed to the malware avoiding detection for a long time now. The malware also seems to target users in the Czech Republic and Slovakia regions. Researches have also discovered that the anti-analysis and detection mechanisms in KryptoCibule specifically checks for Antivirus software that is used the most in these regions.
The malware takes a raincheck on installing the cryptominer components if any of the strings in the image above are detected. This detail contributed to naming the malware KryptoCibule, which is a mix of the Czech and Slovak words for “crypto“ and “onion.”
The malware’s evasion tactics extend even further. Only if processes for specific analysis software are missing on the computer, executing the payload can happen.
The following list has been provided by researchers –
cain | filemon |
netmon | netstat |
nmwifi | perfmon |
processhacker | procexp |
procexp64 | procmon |
regmon | tasklist |
taskmgr | tcpvcon |
tcpview | wireshark |
Coin Mining – Stealthily
KryptoCibule is a triple threat as it also deploys miners that use both CPU and GPU resources for Monero and Ethereum along with going after the wallets or hijacking transactions like typical cryptocurrency-related malware.
Mining for cryptocurrency always draws attention since it’s a resource-intensive operation. In this scenario, if there was no user input for the last three minutes and the computer’s battery level is above 30%, only then the process runs unrestricted.
The Ethereum miner is suspended if these conditions are not met and the one for Monero uses only one thread. When the battery is below 10%, all mining activities stop.
Even though it is unclear how much money KryptoCibule operators made from these processes but according to researchers some wallets used by the transaction hijacking component received a measly $1,800 in Bitcoin and Ethereum. The author’s earnings from the malware are not reflected by this amount though.
The filesystem is searched by a third component related to cryptocurrency for entries with names specific to wallets, miners, and digital coins, as well as “password” and “bank,” or other types of sensitive files (.SSH, .AWS).
The threat features other tools that give its operators remote access to the compromised host, apart from its focus on cryptocurrency.
Using Pupy post-exploitation tool, the attackers can also spawn a backdoor.
the malware installs the Transmission BitTorrent client, to add other tools on an infected computer. This Transmission BitTorrent client receives remote commands via the RPC interface on the default port. Access to the interface is restricted and the credentials (superman:krypton) are hardcoded.
All this functionality is the result of close to two years of development as the researchers were able to track the malware to December 2018. In the image below, they show how KryptoCibule evolved to what it is today.
To read more, please check eScan Blog