SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Cryptomining trojan malware discovered by ESET researchers
Thu, 3rd Sep 2020
FYI, this story is more than a year old

A previously undocumented trojan malware that spreads through malicious torrents has been uncovered by an ESET cybersecurity team, dubbed KryptoCibule by the researchers.

The malware's goal is to steal as many cryptocoins as possible from victims without being detected. It does this by utilising a three-pronged approach: use the victim's resources to mine coins, replace wallet addresses in clipboards to hijack transactions, and exfiltrate all cryptocurrency-related files.

The malware, primarily targeting victims in Czechia and Slovakia, prioritises subterfuge through deployment of multiple techniques to avoid detection, and leans heavily on the Tor network and BitTorrent protocol to achieve its goals.

ESET researcher Matthieu Faou says the malware employs seemingly innocuous software to lure in victims.

“The malware, as written, employs some legitimate software,” says Faou.

“Some, such as Tor and the Transmission torrent client, are bundled with the installer; others are downloaded at runtime, including Apache httpd and the Buru SFTP server.

While only recently discovered, ESET researchers say the malware has been active since December 2018, during which time new updates have been added and capabilities enhanced. KyrptoCibule is ‘under constant development', according to researchers.

“KryptoCibule has three components that leverage infected hosts in order to obtain cryptocurrencies: cryptomining, clipboard hijacking and file exfiltration,” explains Faou.

“Presumably, the malware operators were able to earn more money by stealing wallets and mining cryptocurrencies than what we found in the wallets used by the clipboard hijacking component.

“Alone, the revenue generated by that component does not seem enough to justify the development effort observed,” he adds.

Almost all malicious torrents associated with KryptoCibule were found on a file-sharing site popular in Czechia and Slovakia.

Additionally, KryptoCibule specifically checks for ESET, Avast and AVG endpoint security products; ESET is headquartered in Slovakia, while the other two are owned by Avast, which is headquartered in Czechia.

ESET's research comes as more reports emerge affirming the less-than-ideal state of global cybersecurity – a report from Fortinet last month confirmed that 2020 has seen a ‘surge' in malware, ransomware and botnets.

“The first six months of 2020 witnessed an unprecedented cyber threat landscape,” says FortiGuard Labs chief of security insights and global threat alliances Derek Manky.

“There has never been a clearer picture than now, of why organisations need to adjust their defence strategies going forward to fully take into account the network perimeter extending into the home.

“It is critical for organisations to take measures to protect their remote workers and help them secure their devices and home networks for the long term.