An advanced version of crypto-targeting malware shared via games downloaded and pirated software from torrent sites can pose a number of threats to the victims. On Wednesday, a report was published by researchers working at ESET, a Slovakian cybersecurity firm, in which they said that they had found malicious code within the program for installing media files. They revealed that it comprised of a crypto mining bot. Once it is downloaded, the mining bot is started by the hidden app for hijacking the computer’s power and mining monero. In fact, it is even prompted to mine ether if it detects a GPU card.
However, in its two years of existence, the malware has evolved significantly and now possesses several other tricks that could be a bigger threat to all cryptocurrency users. The malware was dubbed as ‘KryptoCibule’, which is a combination of the Slovak and Czech words for ‘cryptocurrency’ and ‘onion’. It was discovered that this malware is also capable of changing a wallet address to one that’s linked to the hacker when it is pasted from the clipboard. This could potentially divert funds that are sent to the victim. In addition, it can search for and even end up stealing crypto passwords, key phrases, or private keys that are stored on the hard drive of the host machine.
How does this malware spread? Users play a vital role here by sharing the affected media files with others via peer-to-peer file-sharing networks. The researchers said that the malware was also capable of updating itself via BitTorrent, which was acquired in mid-2018 by Tron. According to ESET, roughly $1,800 had been stolen by KryptoCibule in ether and Bitcoin by changing the wallet addresses of the victims. It wasn’t possible for the researchers to determine how much had been stolen by the hacker from stealing the passwords and through the mining bot.
It is highly likely that KryptoCibule began its operations in late 2018, but it managed to remain hidden up until now, as it had been designed for evading detection. This malware hides in files that continue working normally, so the victims are not very likely to suspect something is amiss. It is also actively watching for and hiding from antivirus tools like Avast. Furthermore, it comprises of a command line to the Tor browser, which can help in encrypting communications and makes it impossible for anyone to find the mining server behind KryptoCibule.
Another trick that the malware pulls is monitoring the battery of the computer in order to ensure it doesn’t take up too much power because that will result in its detection. If there is a more than 30% fall in the battery, the GPU miners is shut down by KryptoCibule and it starts running its monero miner at a reduced capacity. If the battery falls under 10%, the entire program shuts down. Regardless of its sophistication, ESET said that several hundred computers had downloaded the malware so far and these were mostly found in Slovakia and Czechia and other areas hadn’t been affected as yet.