Threat researchers discovered a new malware family that is fully focused on getting as much cryptocurrency as possible from its victims. For this purpose, it steals wallets, hijacks transactions, and starts mining on infected machines.
Named KryptoCibule, the malware has managed to stay under the radar for almost two years, extending its functionality with each new version.
In a technical analysis released today, researchers at ESET note that KryptoCibule relies heavily on the Tor network to communicate with its command and control (C2) servers.
It spreads via malicious torrents in archives pretending to installers for pirated versions of popular software and games. When launching the executable, malware installation starts in the background and the expected routine for the cracked product runs in the foreground.
This drill, along with the fact that it seems to target users in the Czech Republic and Slovakia (more than 85% of ESET’s detections are from these countries), allowed the malware to avoid attention for so long.
Attacking these regions is likely intentional, as researchers discovered that the anti-analysis and detection mechanisms in KryptoCibule specifically check for ESET, Avast, and AVG (subsidiary of Avast) security products, which are based in these two countries.
