HomeBlockchainSecurityKryptoCibule: the smart malware that mines XMR and ETH

KryptoCibule: the smart malware that mines XMR and ETH

The Eset team of the famous antivirus has recently published a detailed report analysing a new malware, KryptoCibule, which uses the Tor and BitTorrent network to infect machines and also mine crypto at the expense of the victims.

The name is derived from the Czech word crypto and the Slovenian word onion, which indicates that it is used to mine crypto using the Tor network.

The malware has been placed on the BitTorrent network, with a .zip file named “Dead Cells”, reminiscent of a famous 2018 multi-platform game.

Inside the compressed folder there are several files:

  • Packed.001, which contains the malware;
  • Packed.002, which is the game’s installer;
  • Setup.exe allows to launch the previous files and activates the malware in the background..;
  • Setup.dll;
  • Packed.dat.

The setup.exe file also installs a game, so the victim doesn’t notice anything at all, especially because usually once a game starts the user can’t even tell if the machine is being strained, attributing the slowdown of the PC to the game itself.

As if that wasn’t enough, the malware installs a torrent client that allows commands to be executed via RPC on port 9091 for remote data transmission.

KryptoCibule, the malware that also installs Tor

KryptoCibule uses superman:krypton credentials, and in this way installs the malware.

This client serves precisely to continue the seed of the file so it has a higher spread and gives a guarantee that it will not be thrown down and acquire a good reputation as a seed, as a user will prefer to download a file that has many seeds.

In addition to malware, the client also installs Tor, which uses port 9050. This is used to send C&C commands and avoid being tracked. 

This technique allows the attack to continue without being detected or finding out where the commands start from, which would otherwise lead back to the servers and restrict the criminals’ scope of action.

Interestingly, two cryptocurrencies are mined: Monero (XMR) via the CPU and Ethereum (ETH) via the GPU.

In addition, the malware checks whether the machine is a PC or not, initiating mining relentlessly and to the maximum. If it is a laptop, the system checks the battery status and as soon as it touches 30% it stops mining from the GPU and limits CPU mining to a single thread.

If the battery percentage touches 10% then the malware shuts down mining so that it cannot be identified by the victim. 

Eset’s team discovered a bitcoin address from which the criminals were able to recover as much as 0.3 BTC, or around $4000.

As if that weren’t enough, the malware checks for anti-virus-related entries and if it finds Avast, AVG or Eset, the malware doesn’t install the mining-related components, but only those related to the dissemination of the file, which will then continue undisturbed.

Alfredo de Candia
Alfredo de Candia
Android developer for over 8 years with a dozen of developed apps, Alfredo at age 21 has climbed Mount Fuji following the saying: "He who climbs Mount Fuji once in his life is a wise man, who climbs him twice is a Crazy". Among his app we find a Japanese database, a spam and virus database, the most complete database on Anime and Manga series birthdays and a shitcoin database. Sunday Miner, Alfredo has a passion for crypto and is a fan of EOS.
RELATED ARTICLES

MOST POPULARS

GoldBrick