ESET researchers have announced the discovery of an unknown family of “trojan malware” that spreads through malicious “torrents” and uses multiple methods to extract as many cryptocurrencies from its victims as possible, while remaining undetected.
ESET called the threat “KryptoCibule” and, according to its telemetry, the malware appears to be aimed primarily at users in the Czech Republic and Slovakia.
This malware poses a triple threat to cryptocurrencies; it uses the victim’s resources to mine currencies, attempts to infiltrate transactions by replacing “wallet” addresses on the “clipboard”, extracts files related to cryptocurrencies, and develops multiple techniques to remain undetected; “KryptoCibule” makes extensive use of the “Tor” network and “BitTorrent” protocol in its communication infrastructure.
ESET has identified many versions of “KryptoCibule”, allowing us to study its evolution from December 2018 to the present day. Malware remains active, new features were added during its lifetime and is constantly evolving.
Most of the victims are located in the Czech Republic and Slovakia, and this reflects the user base of the site where the infected torrents are located. Almost all malicious “torrents” were available on “uloz.to”, a popular file-sharing site in the two countries.
In addition, “KryptoCibule” checks specifically for the presence of ESET, Avast, and AVG security products.
ESET is based in Slovakia, while the rest are owned by Avast, which is based in the Czech Republic.
More technical details about “KryptoCibule” can be read in the relevant blogpost: “KryptoCibule: The multitasking multicurrency cryptocurrency” in “WeLiveSecurity”.