sb-nz logo
Story image

Cryptomining trojan malware discovered by ESET researchers

A previously undocumented trojan malware that spreads through malicious torrents has been uncovered by an ESET cybersecurity team, dubbed KryptoCibule by the researchers.

The malware’s goal is to steal as many cryptocoins as possible from victims without being detected. It does this by utilising a three-pronged approach: use the victim’s resources to mine coins, replace wallet addresses in clipboards to hijack transactions, and exfiltrate all cryptocurrency-related files.

The malware, primarily targeting victims in Czechia and Slovakia, prioritises subterfuge through deployment of multiple techniques to avoid detection, and leans heavily on the Tor network and BitTorrent protocol to achieve its goals.

ESET researcher Matthieu Faou says the malware employs seemingly innocuous software to lure in victims.

“The malware, as written, employs some legitimate software,” says Faou.

“Some, such as Tor and the Transmission torrent client, are bundled with the installer; others are downloaded at runtime, including Apache httpd and the Buru SFTP server.”

While only recently discovered, ESET researchers say the malware has been active since December 2018, during which time new updates have been added and capabilities enhanced. KyrptoCibule is ‘under constant development’, according to researchers. 

“KryptoCibule has three components that leverage infected hosts in order to obtain cryptocurrencies: cryptomining, clipboard hijacking and file exfiltration,” explains Faou. 

“Presumably, the malware operators were able to earn more money by stealing wallets and mining cryptocurrencies than what we found in the wallets used by the clipboard hijacking component. 

“Alone, the revenue generated by that component does not seem enough to justify the development effort observed,” he adds.

Almost all malicious torrents associated with KryptoCibule were found on a file-sharing site popular in Czechia and Slovakia. 

Additionally, KryptoCibule specifically checks for ESET, Avast and AVG endpoint security products; ESET is headquartered in Slovakia, while the other two are owned by Avast, which is headquartered in Czechia.

ESET’s research comes as more reports emerge affirming the less-than-ideal state of global cybersecurity – a report from Fortinet last month confirmed that 2020 has seen a ‘surge’ in malware, ransomware and botnets.

“The first six months of 2020 witnessed an unprecedented cyber threat landscape,” says FortiGuard Labs chief of security insights and global threat alliances Derek Manky.

“There has never been a clearer picture than now, of why organisations need to adjust their defence strategies going forward to fully take into account the network perimeter extending into the home. 

“It is critical for organisations to take measures to protect their remote workers and help them secure their devices and home networks for the long term.

Story image
Research reveals increase in critical, low complexity vulnerabilities
2020 saw a large spike in physical and adjacent vulnerabilities, likely due to the proliferation of IoT and smart devices in use and being tested by researchers.More
Story image
VPNs and zero trust security don't mix - Zscaler report
93% of organisations surveyed have deployed some kind of VPN, yet 94% know that VPNs are a popular target for cybercriminals.More
Story image
Creating a strong culture of security within organisations
CISOs worldwide are inherently aware of how significant investment in cybersecurity strategies and technologies can bolster an organisation’s protection against cyberattacks. However, many overlook the importance of culture when it comes to cybersecurity.More
Story image
ExtraHop reveals methods used by attackers in SUNBURST breach
The network detection and response company says between late March and early October 2020, detections of probable malicious activity increased by approximately 150%, including detections of lateral movement, privilege escalation and command and control beaconing.More
Story image
Cybersecurity risk has never been greater," declares FortiGuard Labs
Adversaries are highly adaptable as they conduct sophisticated attacks, particularly against remote workers, digital supply chains, and core networks.More
Story image
Microsoft, Facebook and PayPal most impersonated brands during phishing attacks
Microsoft has maintained its position as the brand most often found in phishing emails, followed by Facebook and PayPal.More