Newly Discovered Malware Has Arsenal of Tricks to Help It Steal Crypto

An advanced form of cryptocurrency-targeting malware shared through pirated software and games downloaded from torrent sites poses multiple threats to victims.

• In a report Wednesday, researchers at Slovakian cybersecurity firm ESET said they had found malicious code within the installer program for media files that contains a cryptocurrency mining bot.
• Once downloaded, the hidden app starts its mining bot to hijack computer power and mine monero, as well as ether if a GPU card is detected.
• However, the malware has evolved in its two years of existence to possess other tricks that are more concerning to users of cryptocurrency.
• Dubbed "KryptoCibule" – a combination of the Czech and Slovak words for "cryptocurrency" and "onion" – the malware can also change a wallet address to one linked to the hacker when pasted from the clipboard, potentially diverting funds sent to the victim.
• Further, it will hunt for, and steal, cryptocurrency passwords, private keys or key phrases stored on the host machine's hard drive.
• The malware is spread by users sharing the affected media files on peer-to-peer file-sharing networks.
• It also updates itself using BitTorrent, which was acquired by Tron in mid-2018, the researchers said.
• ESET said KryptoCibule had stolen roughly $1,800 in bitcoin and ether by changing victims' wallet addresses.
• They were unable to determine how much the hacker stole through the mining bot or from stealing passwords.

• KryptoCibule likely started operation in late 2018 but has remained hidden till now thanks to being designed to evade detection.
• KryptoCibules hides in files that work normally, so victims are less likely to suspect anything amiss. It also actively watches for, and hides from, antivirus tools such as Avast.
• In addition, it contains a command line to the Tor browser that encrypts communications and makes it impossible to trace the mining server behind KryptoCibule.
• KryptoCibule also monitors the computer's battery so it doesn't consume too much power and thus get noticed.
• If the battery falls below 30%, KryptoCibule shuts off the GPU miner and runs its monero miner at a much lower capacity. The whole program shuts down should battery go under 10%.
• Despite its sophistication, ESET said the bot had so far only been downloaded by several hundred computers, mostly based in Czechia and Slovakia.

See also: New Malware Spotted in the Wild That Puts Cryptocurrency Wallets at Risk