KryptoCibule RAT Mines and Steals Cryptocurrency
A malware called KryptoCibule has been found that mounts cryptocurrency-related attacks. KryptoCibule uses remote access trojans to create backdoors to its victims. According to researchers at ESET, the malware has been targeting victims in the Czech Republic and Slovakia. KryptoCibule spreads via pirated software and game torrents. KryptoCibule is spread through fake torrents for ZIP files that are presented as cracked or pirated software and games.
KryptoCibule attack features on the cryptocurrency include mining Monero and Etherum, replacing wallet addresses to steal cryptocurrencies, and stealing cyrpotcurrency related files.eal cryptocurrency-related files. According to researchers at ESET, KryptoCibule use XMRig, an open-source program that mines Monero, and kawpowminer, another open-source program that mines Ethereum. Both connect to an operator-controlled mining server over a Tor proxy. The malware checks the battery level and the time since the last user input, then it starts or stops the miner processes based on this information. If the infected machine has received no user input in the last three minutes and has at least 30 percent battery, both the GPU and CPU miners are run without limits. Otherwise, the GPU miner is suspended, and the CPU miner is limited to one thread. If the battery level is under 10 percent, both miners are stopped.
A clipboard hijacking feature monitors for changes to the clipboard. If a change is made, the malware will fake the format of the legitimate cryptocurrency wallet addresses on the clipboard and replace them with wallet addresses controlled by the hackers. The third feature looks at the host's filesystem on every drive, looking for terms that match a list of words. These include names of various cryptocurrencies, and general terms like blockchain or password.
On top of everything, KryptoCibule also has RAT functionality, which allows hackers to execute arbitrary commands that it can use to spread. It also installs a PowerShell script that loads a backdoor, for persistent access to the machines and can download additional tools and updates. The malware uses BitTorrent protocol for communication in both cases.
KryptoCibule is a sophisticated, malware with unusual features. The KryptoCibule malware has been around since 2018 and is still active, but it didn't attract much attention until now. Its use of open-source tools along with a range of anti-detection methods are likely responsible for this. New capabilities have regularly been added to KryptoCibule over its lifetime and it continues to be under active development.