Crypto Mining: KryptoCibule Malware Steals from Victims | Free Antivirus Software

ESET researchers have succeeded in locating a previously undocumented family of malware that has been named KryptoCibule. The Trojan spreads via malicious torrents and uses a variety of methods to avoid being detected and to steal as As many crypto coins as possible from the victims.

Crypto Mining: The Concept

There are various cryptocurrencies on the World Wide Web: Bitcoins are probably the most common, but Monero and Ethereum also exist. The term "mining" originally comes from mining and describes prospecting, so that it was named after.

You can imagine crypto mining as a process in which the performance of the CPU or GPU is used to "mine" cryptocurrencies. The computing power to process transactions, to secure and synchronize all existing users in the respective network is made available - a kind of decentralized cryptocurrency data center in which miners from all over the world participate. There are rewards for these useful services, with the payment of the respective cryptocurrency shares depending on how much computing capacity is made available.

In contrast to conventional currencies such as the euro or the US dollar, no money is printed with cryptocurrencies; Rather, cryptocurrencies are mined themselves or in the cloud (“cloud mining”). For this purpose, specially designed devices such. B. from Bitmain or Antminer.

New but Already Old: KryptoCibule

ESET researchers have discovered different versions of the KryptoCibule malware. This development could be traced back to December 2018 - so KryptoCibule has been active for a while. The malware mainly targets users in the Czech Republic and Slovakia and is distributed via infected torrents. The researchers found almost all malicious torrents on the uloz. to the site; a very popular file-sharing site in the Czech Republic and Slovakia. Here the malware is downloaded as an infected ZIP file.

KryptoCibule often disguises itself as an installation program, either for pirated or cracked games or software. In addition to the spread of the KryptoCibule malware, additional tools and updates are also downloaded. The researchers identified five files that were common to all KryptoCibule installation archives. The malware is hidden behind packed.001, while packed.002 contains the installation file for the downloaded software. Both files are decoded as soon as Setup.exe is executed by the user.

The malware then starts in the background, while the installation program is started in the foreground, visible to the victim. The user does not receive an indication that something is possibly wrong. The victim computers can then help seed the malware to spread. The Bit torrent protocol is also used to download malware updates and additional software.

Antivirus Programs Are Bypassed

KryptoCibule is specifically looking for security products from ESET, Avast, or AVG: ESET is headquartered in Slovakia, while Avast and AVG are in the Czech Republic. The malware uses a variety of techniques to prevent detection by security products:

·         When installing, the malware disguises itself as a legitimate InstallShield.
·         The installation usually takes place in existing or actually legitimate folders.
·         Before the malware starts, there is a scan for anti-virus programs.
·         Paths can be excluded from Windows Defender via the shell. The malware does this so that infected paths are no longer scanned.
·         Firewall exceptions are also created so that the firewall cannot track the malware either.

Components of KryptoCibule

As the ESET researchers show KryptoCibule consists of three components:

Crypto Mining

Current KryptoCibule variants use XMRig, an open-source tool that dismantles Monero with the CPU. The open-source program kawpowminer is also used: Ethereum is generated using the GPU. The second program only uses KryptoCibule if a dedicated graphics card can be found on the infected host. Both tools connect to the mining servers of those responsible for KryptoCibule via a Tor proxy.

Captured Clipboard

The second component that KryptoCibule consists of disguises itself as SystemArchitectureTranslation.exe. Changes in the clipboard can be monitored with the AddClipboardFormatListener function; Furthermore, substitution rules can be applied to content. By the format of the Kyoto wallet addresses, existing addresses are replaced with the wallets of the malware operators. If the victim makes transactions, these should migrate to the malware operator's wallets. If the file settings. config is changed, a FileSystemWatcher takes care of reloading the replacement rules.

File Extraction

The third component of KryptoCibule has the task of searching the file system for file names that contain certain terms, for example, "wallat.dat". As a rule, these terms refer to cryptocurrencies or miners, but more general terms such as “crypto”, “password” or “seed” are also sought. The ESET researchers also found some terms that could contain other interesting data, such as “desktop”, “private” or “.ssh”. This third component collects the full paths of all matching files and then sends the list to% C & C% / found /.

The ESET researchers suspect that “this happens in conjunction with the SFTP server, which runs as an onion service on port 9187. This server creates mappings for each available drive and provides them using the credentials hard-coded in the malware. The collected paths can thus be used for file exfiltration. To do this, a computer-controlled by the attacker must request them from the infected host via SFTP.

KryptoCibule also installs a legitimate Apache HTTP server. Due to its configuration, it can be used without restriction as a forward proxy and can be reached as an onion service via port 9999.

KryptoCibule: How to Protect Yourself

Torrent files like the malware KryptoCibule are primarily used on file-sharing platforms - but not only! So it doesn't mean you aren't in danger just because you haven't used online file sharing sites. Many users are not aware of the risks involved in downloading torrent files.

Therefore, even if you do not use file-sharing platforms: Be vigilant! As before, the best protection against malware is prevention:

·         Always keep your virus protection up to date!

·         Download files only from known and secure servers!

·         Check downloads for viruses and other malware before executing or extracting them!

·         Perform regular scans - ideally automated so that you can't forget anything!

Do not only invest in good firewalls and security software but also make your employees aware and ensure that your systems are always up to date. But your first priority is its security even though it is free antivirus software.