A previously undocumented malware family called KryptoCibule is mounting a three-pronged cryptocurrency-related attack, while also deploying remote-access trojan (RAT) functionality to establish backdoors to its victims.
According to researchers at ESET, the malware has been seen targeting victims mainly in the Czech Republic and Slovakia, by way of infected pirate content and software torrents.
KryptoCibule is spread through malicious torrents for ZIP files whose contents masquerade as installers for cracked or pirated software and games, according to ESET researchers, writing in [an analysis]() on Wednesday. Almost all the malicious torrents were available on uloz.to; a popular file-sharing site in Czechia and Slovakia.
[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)]()
They added that KryptoCibule which derives from the Czech and Slovak words for crypto and onion is also notable because of its use of legitimate software and platforms, including the Tor network (hence the onion part of the name) and the BitTorrent protocol; the Transmission torrent client; Apache httpd; and the Buru SFTP server.
Looking at timestamps in the various versions of KryptoCibule that ESET has identified, the malware dates from December 2018, researchers said.
## **A Triple Crypto-Threat**
KryptoCibules goals are threefold on the cryptocurrency front: It surreptitiously [mines Monero]() and Ethereum on compromised machines, but also can hijack transactions by replacing wallet addresses in the clipboard, and it can steal cryptocurrency-related files.
According to ESET, the latest versions of KryptoCibule use XMRig, an open-source program that mines Monero using the CPU, and kawpowminer, another open-source program that mines Ethereum using the GPU (the latter kicks into action only if a GPU is detected on the host). Both connect to an operator-controlled mining server over a Tor proxy.
On every iteration of the main loop, the malware checks the battery level and the time since the last user input, according to the analysis. It then starts or stops the miner processes based on this information. If the host has received no user input in the last three minutes and has at least 30 percent battery, both the GPU and CPU miners are run without limits. Otherwise, the GPU miner is suspended, and the CPU miner is limited to one thread. If the battery level is under 10 percent, both miners are stopped. This is done to reduce the likelihood of being noticed by the victim.
Meanwhile, a clipboard-hijacking component monitors for changes to the clipboard. If a change (i.e., a transaction) is made, the malware will mimic the format of the legitimate cryptocurrency wallet addresses on the clipboard and supplant them with wallet addresses controlled by the malware operator. So far, the cybercriminals have stolen around $1,800 using this trick, according to ESET.
Presumably the malware operators were able to earn more money by stealing wallets and mining cryptocurrencies than what we found in the wallets used by the clipboard hijacking component, according to the analysis. The revenue generated by that component alone does not seem enough to justify the development effort observed.
The third attack component examines an infected hosts filesystem on each available drive, looking for terms that match a hardcoded list of words. These include names of various cryptocurrencies, and general terms like blockchain or password.
Most terms refer to cryptocurrencies, wallets or miners, but a few more generic ones like crypto (in several languages), seed and password are present also, explained the researchers. A few terms also correspond to paths or files that could provide other interesting data (desktop, private), including private keys.
The data is then exfiltrated via an SFTP server running as an onion service on port 9187.
## **A RAT in the Mix**
On top of the crypto-components, KryptoCibule also has RAT functionality, which allows operators to execute arbitrary commands that it can use for propagation, researchers said. It also installs a PowerShell script that in turn loads a backdoor, for persistent access to victim machines and to download additional tools and updates. The malware makes use of the BitTorrent protocol for communication in both cases.
To install further software for the malwares use, such as the SFTP server, the Launcher component makes an HTTP GET request to %C&C%/softwareinfo?title=<software name> and receives a JSON response containing a magnet URI for the torrent to download and other information indicating how to install and execute the program, according to the analysis.
And, the mechanism for getting updates is similar.
The malware first gets global settings via HTTP from %C&C%/settingsv5. Among other things, this response contains a magnet URI for the latest version of the malware, ESET researchers wrote. It then makes a GET request to %C&C%/version to get the most recent version number. If the local version is lower than that version, the torrent is downloaded and installed.
## **Infection Routine**
After a user unwittingly installs an infected download, the malware and the installer are unpacked. The malware then launches in the background, giving the victim no indication that anything is amiss.
KryptoCibule uses the tor.exe command line tool and a configuration file that sets up a SOCKS proxy on port 9050; thus, the malware relays all communications with command-and-control (C2) servers through the Tor network.
When the malware is first executed, the host is assigned a unique identifier using hardcoded lists which provide over 10 million unique combinations. This identifier is then used to identify the host in communications with C2s.
The onion URIs for two C2 servers are contained in the malware; one is used for communication and the other is for downloading files, the researchers noted. They added that KryptoCibule also installs a legitimate Apache httpd server that is configured to act as a forward proxy without any restrictions, and that is reachable as an onion service on port 9999.
KryptoCibule then installs the Transmission torrent client and manages it by issuing commands via its remote procedure call (RPC) interface on port 9091 with the transmission-remote function. ESETs analysis detailed that the RPC interface uses the hardcoded credentials superman:krypton.
The malware also creates firewall rules to explicitly allow inbound and outbound traffic from its components using innocuous-looking names.
This has the dual benefit of encrypting the communications and making it virtually impossible to trace the actual server or servers behind these URIs, explained the researchers.
On the anti-detection front, KryptoCibule maintains its geographic focus: It specifically checks for ESET, Avast and AVG endpoint-security products; ESET is headquartered in Slovakia, while the other two are owned by Avast, which is headquartered in the Czech Republic.
In all, KryptoCibule is a narrowly focused, but sophisticated, malware with a range of unusual functions. Its also clear that the operators continue to invest in its development.
The KryptoCibule malware has been in the wild since late 2018 and is still active, but it doesnt seem to have attracted much attention until now, according to researchers. Its use of legitimate open-source tools along with the wide range of anti-detection methods deployed are likely responsible for this. The relatively low number of victims (in the hundreds) and their being mostly confined to two countries may also contribute to this. New capabilities have regularly been added to KryptoCibule over its lifetime and it continues to be under active development.
**[On Wed Sept. 16 @ 2 PM ET:]() Learn the secrets to running a successful Bug Bounty Program. [Register today]() for this FREE Threatpost webinar [Five Essentials for Running a Successful Bug Bounty Program](). Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE]() webinar.**Read More