KryptoCibule: Multi-task and multi-currency password stealing Preface

ESET researchers discovered an undocumented malware family, which we named KryptoCibule. For cryptocurrency, this malware has a triple threat. It uses the victim’s resources to mine coins, attempts to hijack transactions by replacing the wallet address in the clipboard, and leaks files related to cryptocurrency, and deploys multiple technologies to avoid detection. KryptoCibule widely uses Tor network and BitTorrent protocol in its communication infrastructure.

The malware was written in C and some legitimate software was used. Some things, such as Tor and Transmission torrent clients, are bundled with the installer. Others are downloaded at runtime, including Apache httpd and Buru SFTP server. Figure 1 shows an overview of the various components and their interactions.

For more information, please visit Seebug Paper to read the full text :