KryptoCibule
KrуptoCibule is a new malware family whose authors appear to focus on hijacking cryptocurrency coins and data related to cryptocurrency exclusively. The threat's activity is concentrated in Slovakia and the Czech Republic, but it is still not clear why the creators of the malware have opted to go after these two specific regions. According to anti-virus product vendors, copies of the KrуptoCibule malware are being propagated via torrent trackers and pirated games or software. Since the malware's goal is to hijack cryptocurrency transactions and collect files, it tries to be as stealthy as possible – its victims may not notice anything out of the ordinary if the KrуptoCibule has compromised their systems.
KryptoCibule Focuses on Cryptocurrency Mining, Cryptojacking and Data Collection
Usually, malware families that specialize in crypto-jacking attacks focus on just one aspect – hijacking transactions, planting a cryptocurrency miner or collecting cryptocurrency wallets. The KrуptoCibule malware, however, covers all three bases – it will install a trojanized cryptocurrency miner and, in the meantime, it will monitor the Windows clipboard for cryptocurrency wallet addresses that can be replaced with ones owned by the attacker. Last but not least, KrуptoCibule tries to collect files used by a popular cryptocurrency wallet software.
KryptoCibule Poses as an Adobe Updater Utility
Many of the KryptoCibule samples were trying to mask their presence by using directories and filenames linked to Adobe Acrobat Reader. For example, the malware's files were often stored in the 'Adobe\Acrobat Reader\ folder, and the malware created a new scheduled task called 'Adobe Update Task' to gain persistence.
The earliest samples of the KryptoCibule date back to December 2018, and there are plenty of differences between the oldest and newest versions. This shows that the authors of KryptoCibule are updating the malware payload actively and introducing new features. While KryptoCibule does not shine with any unique functionality, it does have one interesting technique that helps it reach more potential victims. When the KryptoCibule is executed successfully, it will download a legitimate torrent client, and then use the victim's machine to seed the corrupted torrents that contain KryptoCibule's payload. Since users tend to go after the torrents with the highest numbers of active seeders, it is likely that KryptoCibule's simple trick will help it generate more downloads.
KryptoCibule is exceptionally threatening due to its ability to execute its tasks silently, without alerting the user of its presence. The only way to stay safe from stealthy threats like this one is to use an up-to-date anti-malware software suite at all times.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.