Skip to content

ESET warns of new malware that mines and steals cryptocurrencies

September 11, 2020

ESET researchers discovered a previously undocumented family of malware called KryptoCibule. This was reported by Press Peru on September 10th.

As they declared This malware poses a triple threat related to cryptocurrencies: “It uses the victim’s resources to mine coins, tries to take control of transactions by replacing wallet addresses on the clipboard, and filters out files (malicious code can do this . “Sending documents from the affected computer to the cybercriminal (related to cryptocurrencies) using several techniques to avoid detection. On the other hand, KryptoCibule makes extensive use of the Tor network and BitTorrent protocol in its communication infrastructure scope“.

In the article they further stated: “The malware also uses legitimate software. Some, like Tor and Transmission, are included in the installer. Others are downloaded at runtime, including Apache httpd and the SFTP Buru server“.

ESET warns of new malware that mines and steals cryptocurrenciesESET warns of new malware that mines and steals cryptocurrencies

Then they added: “KryptoCibule spreads via malicious ZIP file torrents whose content poses as pirated or cracked software and game installers. When Setup.exe is run, both the malware and the expected installation files are decoded. It then launches the malware (in the background) and the expected installer without giving the victim any indication that anything is wrong. “

It should be mentioned that Victims are also used to seed both the torrents used by malware and the malicious torrents that contribute to its spread. This makes files available for others to download. This speeds up downloading and provides redundancy.

Apparently there are multiple versions: “Researchers discovered multiple versions of this malware that made it possible to track its evolution since December 2018.”


The KryptoCibule malware remains active but does not appear to have attracted much attention so far.

Camilo Gutiérrez Amaya, Head of ESET Latin America Laboratory, announced some details – quoted from Press Peru -:

At the time this information was released, the wallets that the component used to take control of the clipboard had received Bitcoin and Ethereum for a little over $ 1,800. The relatively small number of victims (in the hundreds) and the fact that it is mainly limited to two countries contribute to its low profile. ”

Then he added:

“KryptoCibule has been regularly expanded with new functions throughout its lifespan and is currently being actively developed. Presumably, the operators of this malware were able to make more money by stealing wallets and mining cryptocurrencies than in the wallets for which the component was used Clipboard. The income from this component alone does not seem to be sufficient to justify the observed development effort. “


Eset’s We Live Security website, published on September 3rd, states that, according to ESET telemetry, the malware mainly targets users in the Czech Republic and Slovakia. “This reflects the user base of the site where the infected torrents reside,” they said.

You might be interested in:

Receive Breaking News !

Enable Notifications    Ok No thanks