KrуptoCibule is a new malware family whose authors appear to focus on hijacking cryptocurrency coins and data related to cryptocurrency exclusively. The threat's activity is concentrated in Slovakia and the Czech Republic, but it is still not clear why the creators of the malware have opted to go after these two specific regions. According to anti-virus product vendors, copies of the KrуptoCibule malware are being propagated via torrent trackers and pirated games or software. Since the malware's goal is to hijack cryptocurrency transactions and collect files, it tries to be as stealthy as possible – its victims may not notice anything out of the ordinary if the KrуptoCibule has compromised their systems.
KryptoCibule Focuses on Cryptocurrency Mining, Cryptojacking and Data Collection
Usually, malware families that specialize in crypto-jacking attacks focus on just one aspect – hijacking transactions, planting a cryptocurrency miner or collecting cryptocurrency wallets. The KrуptoCibule malware, however, covers all three bases – it will install a trojanized cryptocurrency miner and, in the meantime, it will monitor the Windows clipboard for cryptocurrency wallet addresses that can be replaced with ones owned by the attacker. Last but not least, KrуptoCibule tries to collect files used by a popular cryptocurrency wallet software.
KryptoCibule Poses as an Adobe Updater Utility
Many of the KryptoCibule samples were trying to mask their presence by using directories and filenames linked to Adobe Acrobat Reader. For example, the malware's files were often stored in the 'Adobe\Acrobat Reader\ folder, and the malware created a new scheduled task called 'Adobe Update Task' to gain persistence.
The earliest samples of the KryptoCibule date back to December 2018, and there are plenty of differences between the oldest and newest versions. This shows that the authors of KryptoCibule are updating the malware payload actively and introducing new features. While KryptoCibule does not shine with any unique functionality, it does have one interesting technique that helps it reach more potential victims. When the KryptoCibule is executed successfully, it will download a legitimate torrent client, and then use the victim's machine to seed the corrupted torrents that contain KryptoCibule's payload. Since users tend to go after the torrents with the highest numbers of active seeders, it is likely that KryptoCibule's simple trick will help it generate more downloads.
KryptoCibule is exceptionally threatening due to its ability to execute its tasks silently, without alerting the user of its presence. The only way to stay safe from stealthy threats like this one is to use an up-to-date anti-malware software suite at all times.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to KryptoCibule may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.