A newly discovered strain of malware dubbed "KryptoCibule" uses multiple techniques to evade detection while maximizing cryptocurrency theft from victims.
ESET researchers who discovered the threat say it has been active since 2018 and updated with new components over time. KryptoCibule is "a triple threat": It uses a victim's resources to mine virtual coins, tries to hijack transactions by replacing the wallet address in the clipboard, and exfiltrates cryptocurrency-related files, all while employing techniques to evade detection.
KryptoCibule is distributed via malicious torrents for ZIP files containing content that is disguised as installers for pirated games and software. When users install, they'll get the software they were expecting as well as the malware. Attackers rely on the BitTorrent protocol to spread to new victims and download additional tools and updates to KryptoCibule once it's installed.
The latest versions of the malware employ XMRig, an open source program designed to mine Monero using the device's CPU, and kawpowminer, another open source program that mines Ethereum using the GPU. Researchers note the latter is only used if a dedicated GPU is found on the host, and that both programs are set up to connect to an attacker-controlled mining server over the Tor proxy.
Data indicates the malware primarily targets victims in the Czech Republic and Slovakia. It specifically looks for endpoint security tools from ESET, which is based in Slovakia, as well as Avast and AVG, both owned by Czech Republic-based Avast.
Read the full report for more details and evasion techniques