Security researchers at Slovak security firm ESET have discovered a new family of malware that they say has been using a variety of techniques to steal cryptocurrency from unsuspecting users since at least December 2018.

The malware, which has been named KryptoCibule, uses a variety of legitimate technology – including Tor and the Transmission torrent client – as part of its scheme to mine cryptocurrency, divert digital currency transactions into its creators’ own accounts, and plant a backdoor for hackers to remotely access infected systems.

KryptoCibule poses a three-pronged threat when it comes to cryptocurrency.

Firstly, it exploits the CPU and GPU of infected computers to mine for Monero and Ethereum. In an attempt to avoid detection by the legitimate user of the computer, KryptoCibule monitors the battery level of infected devices and will not do any mining if the battery is at less than 10% capacity.

If the battery level status is between 10% and 30%, however, Ethereum-mining via the GPU is suspended and only Monero-mining via the CPU takes place, albeit limited to one thread.

However, if the battery level is 30% or more and there has been no user activity for the last three minutes, “both the GPU and CPU miners are run without limits.”

In this way, KryptoCibule attempts to surreptitiously mine cryptocurrency on infected PCs without users detecting anything suspicious.

Secondly, the KryptoCibule malware monitors the user’s clipboard. If it detects that a legitimate cryptocurrency wallet address has been placed in the clipboard it silently replaces it with one of its own – meaning that users might unwittingly be transfer funds directly into the hackers’ own digital pockets.

Thirdly, the malware scouts drives attached to an infected computer, hunting for files which might contain content of interest – such as passwords and private keys.

(Read more...)