New Malware Family KyptoCibule Is Launching Triple-Threat Attacks

Game torrents and pirated software are helping spread a previously undocumented malware family, KryptoCibule. The malware is launching a triple-threat attack and deploying a remote-access Trojan (RAT) functionality to create backdoors to the victims.

Pirated content being used to spread malware

ESET researchers note that the malware is primarily spreading in Slovakia and the Czech Republic via software torrents and pirated content. Researchers posted an analysis on Wednesday and said,

“KryptoCibule is spread through malicious torrents for ZIP files whose contents masquerade as installers for cracked or pirated software and games. Almost all the malicious torrents were available on uloz.to; a popular file-sharing site in Czechia and Slovakia.”

KryptoCibule is derived from the Czech and Slovak words for “crypto” and “onion.” The name was chosen because it uses legit software and platforms like the Tor network and the BitTorrent protocol, Apache httpd, Transmission torrent client, and the Buru SFTP server. The researchers noted that the malware comes from December 2018.

Three-pronged attack

The malware infects a computer and starts mining Ethereum and Monero. It can also hijack the user’s transactions and replace wallet addresses on the clipboard to send cryptocurrencies to the hacker’s address. The malware can steal cryptocurrency-related files from the users.

ESET suggests that the latest versions of the malware run XMRig, which is an open-source program used to mine Monero. It uses another open-source software called kawpowminer, which miners Ethereum using the GPU. They are connected to an operated-controlled mining server using a Tor proxy.

The malware will check the battery level and time since the last user input and start or stop the miner on this information. If the user has not to input anything in the past three minutes and has at least 30% battery, then both CPU and GPU miners run endlessly. If not, then the GPU miner is suspended, and the CPU miner runs only on one thread. The mining activity is stopped when the battery level is near 10% so that the user doesn’t suspect anything.