An advanced form of cryptocurrency-targeting malware shared through pirated software and games downloaded from torrent sites poses multiple threats to victims.
- In a report Wednesday, researchers at Slovakian cybersecurity firm ESET said they had found malicious code within the installer program for media files that contains a cryptocurrency mining bot.
- Once downloaded, the hidden app starts its mining bot to hijack computer power and mine monero, as well as ether if a GPU card is detected.
- However, the malware has evolved in its two years of existence to possess other tricks that are more concerning to users of cryptocurrency.
- Dubbed "KryptoCibule" – a combination of the Czech and Slovak words for "cryptocurrency" and "onion" – the malware can also change a wallet address to one linked to the hacker when pasted from the clipboard, potentially diverting funds sent to the victim.
- Further, it will hunt for, and steal, cryptocurrency passwords, private keys or key phrases stored on the host machine's hard drive.
- The malware is spread by users sharing the affected media files on peer-to-peer file-sharing networks.
- It also updates itself using BitTorrent, which was acquired by Tron in mid-2018, the researchers said.
- ESET said KryptoCibule had stolen roughly $1,800 in bitcoin and ether by changing victims' wallet addresses.
- They were unable to determine how much the hacker stole through the mining bot or from stealing passwords.
- KryptoCibule likely started operation in late 2018 but has remained hidden till now thanks to being designed to evade detection.
- KryptoCibules hides in files that work normally, so victims are less likely to suspect anything amiss. It also actively watches for, and hides from, antivirus tools such as Avast.
- In addition, it contains a command line to the Tor browser that encrypts communications and makes it impossible to trace the mining server behind KryptoCibule.
- KryptoCibule also monitors the computer's battery so it doesn't consume too much power and thus get noticed.
- If the battery falls below 30%, KryptoCibule shuts off the GPU miner and runs its monero miner at a much lower capacity. The whole program shuts down should battery go under 10%.
- Despite its sophistication, ESET said the bot had so far only been downloaded by several hundred computers, mostly based in Czechia and Slovakia.