Old Windows Malware Relaunches with Three-Pronged Attack on Crypto Investors

The cryptocurrency industry is dealing with a consistent rise in malware and cyber attacks. While a lot of them appear to be novel cases, some older threats are now resurfacing. Earlier this week, cybersecurity firm ESET published a report explaining that it has found evidence that a strain of Windows OS malware has been propagating across Europe. 

Meet KryptoCibule

According to a report on ZDNet, ESET explained that the new malware – called KryptoCibule – has been in operation since December 2018. The malware primarily targets cryptocurrency holders, aiming to perform cryptojacking operations and steal all its victims’ crypto-related files. It also replaces the wallet addresses in the computer’s clipboard to steal all crypto payments.

ESET added that the malware has also evolved significantly, growing from a simple virus to a multi-component threat that is more advanced than most malware strains. It currently spreads through corrupt torrent files, installing itself along with the files that users download.

The security company added that the malware uses the privacy-focused Tor client to communicate with its command-and-control servers on the Dark Web. The torrent client is also used to load torrent files that will download other modules. All of these modules perform several tasks and help the malware to achieve its primary objective. 

ESET claims that for now, the malware is only distributed across Slovakia and the Czech Republic. Per the security company, KryptoCibule’s creators added a malware feature to check for antivirus software in the victim computers. However, the module only checks for three antiviruses — AVG, ESET, and Avast. All three antiviruses are based in either Slovakia or the Czech Republic.

Malware and Hackers Everywhere

KryptoCibule isn’t the only legacy threat that is making a comeback to the crypto industry. Last month, the United States Department of Homeland Security (DHS) issued an alert confirming that it had discovered the activities of BeagleBoyz, a hacking group suspected of close ties with the North Korean government.

According to the alert, the group hasn’t been active in the last five years. However, despite its inactivity, it has managed to steal at least $2 billion for Pyongyang since 2015. Most of those thefts were linked to crypto companies.

Now that it’s back, the group is reportedly developing “irreversible theft” methods and planning attacks on crypto exchanges. The DHS pointed out that the group was planning to employ COPPERHEDGE — a remote access Trojan that steals data and compromises exchange’s security protocols.

The Department also warned that the group might be looking to expand its scope and target financial institutions as well. BeagleBoyz is joining several other hacker groups that have links with the North Korean government. The industry is already familiar with The Lazarus Group, a hacker organization that gained notoriety after being linked with the hack of Japanese exchange Coincheck in 2017. According to a report from F-Secure, the group also recently launched a malware attack that sought to steal information from crypto and blockchain talent via top job listing site LinkedIn.

Security threats have become pretty ubiquitous, with news alerts warning of some new threat almost every day.