KryptoCibule
KryptoCibule is the name of a new family of malware threats that has been uncovered by security researchers. The malware is written in C# and is designed with several cryptocurrency-related functions.
KryptoCibule is distributed via corrupted torrents that carry malware-laced zip files pretending to be installers for cracked or pirated games and software. The torrents spreading KryptoCibule were all available from a torrent tracker called uloz.to, which is a popular file-sharing website in Slovakia and the Czech Republic. As a result, most of the malware's victims were located in the two countries. The name given to the malware comes from the word for crypto in Czech and onion in Slovak.
When KryptoCibule is executed, it runs in the background while the installer for the specific software or game is shown to the unsuspecting user. During its harmful activity, the malware employs several legit programs. Tor and the Transmission torrent client come with the malware installer itself while others such as Apache httpd and the Buru SFTP server are downloaded when KryptoCibule is run for the first time on the victim's device.
KryptoCibule is a Multi-Pronged Threat
Once inside the targeted device, KryptoCibule takes multiple avenues to generate money for its creators. First, it installs two open-source cryptominers - XMRig that mines the Monero cryptocurrency using resources from the victim's CPU and kawpowminer for Ehtereum that exploits the GPU. KryptoCibule makes regular checks for the last activity on the infected device and the remaining battery charge and adjusts the resources allocated to the miners accordingly, in an attempt not to attract too much attention to its cryptomining activities.
In addition, KryptoCibule can track the clipboard and substitute copied cryptocurrency wallet addresses with ones controlled by the hackers by exploiting the AddClipboardFormatListener function to monitor changes to the clipboard. The final threat posed by the malware is data exfiltration. KryptoCibule scans the infected system for specific words and terms. Most of them are related to cryptocurrency, but some could contain sensitive data such as 'Desktop' and 'private' or private keys stored in '.ssh' and '.aws' potentially. The malware also is equipped with RAT (Remote Access Trojan) capabilities as it can execute exec and shell commands.
KryptoCibule Employs Anti-Analysis Techniques
To bypass security measures, KryptoCibule hides behind legitimate Adobe Acrobat Reader executable names. For example, it is hardcoded to be installed at %ProgramFiles(x86)%\Adobe\Acrobat Reader DC\Reader\update. An Adobe Acrobat Reader-related name also is employed by the malware to achieve persistence through the command:
schtasks.exe /CREATE /SC MINUTE /MO 5 /TN "Adobe Update Task" /TR \""%ProgramFiles(x86)%\Adobe\Acrobat Reader DC\Reader\Update\armsvc.exe\"" [/RL HIGHEST] /F [/RU SYSTEM]
KryptoCibule runs a check of the infected system for a list of analysis software and stops its execution upon a successful match. A check for several anti-malware programs also is conducted before the cryptomining operations are initiated.
