fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

KryptoCibule Malware Dodges Antivirus To Steal Cryptocurrency

KryptoCibule Malware Dodges Antivirus To Steal Cryptocurrency

Threat researchers discovered a new malware family that is fully focused on getting as much cryptocurrency as possible from its victims. For this purpose, it steals wallets, hijacks transactions, and starts mining on infected machines.

Named KryptoCibule, the malware has managed to stay under the radar for almost two years, extending its functionality with each new version.

Dodging antivirus solutions

In a technical analysis released today, researchers at ESET note that KryptoCibule relies heavily on the Tor network to communicate with its command and control (C2) servers.

It spreads via malicious torrents in archives pretending to installers for pirated versions of popular software and games. When launching the executable, malware installation starts in the background and the expected routine for the cracked product runs in the foreground.

This drill, along with the fact that it seems to target users in the Czech Republic and Slovakia (more than 85% of ESET’s detections are from these countries), allowed the malware to avoid attention for so long.

Attacking these regions is likely intentional, as researchers discovered that the anti-analysis and detection mechanisms in KryptoCibule specifically check for ESET, Avast, and AVG (subsidiary of Avast) security products, which are based in these two countries.

If any of the strings in the image above are detected, the malware takes a raincheck on installing the cryptominer components.

This detail contributed to naming the malware KryptoCibule, which is a mix of  the Czech and Slovak words for “crypto“ and “onion.”

Evasion tactics do not stop at this, though. Executing the payload happens only if processes for specific analysis software are missing on the computer. The researchers provide the following list:•

•cain, •filemon, •netmon, •netstat, •nmwifi, •perfmon, •processhacker, •procexp, •procexp64, •procmon, •regmon, •tasklist, •taskmgr, •tcpvcon, •tcpview, •wireshark

Stealthy coin mining

Typically, cryptocurrency-related malware goes after the wallets or hijacks transactions but KryptoCibule is a triple threat as it also deploys miners that use both CPU and GPU resources for Monero and Ethereum.

Mining for cryptocurrency is a resource intensive operation likely to draw attention. In this case, though, the process runs unrestricted only if there was no user input for the last three minutes and the computer’s battery level is above 30%.

Also read: 10 Tips For Drafting Key Terms In A Service Agreement

If these conditions are not met, the Ethereum miner is suspended and the one for Monero uses only one thread. All mining stops when battery level is below 10%.

It is unclear how much money KryptoCibule operators made from these processes but researchers found that some wallets used by the transaction hijacking component received a measly $1,800 in Bitcoin and Ethereum. This amount is likely not reflecting the author’s earnings from the malware as it is too small “to justify the development effort observed.”

A third component related to cryptocurrency searches the filesystem for entries with names specific to wallets, miners, and digital coins, as well as “password” and “bank,” or other type of sensitive files (.SSH, .AWS).

Apart from its focus on cryptocurrency, the threat features other tools that give its operators remote access to the compromised host. The attackers can spawn a backdoor using Pupy post-exploitation tool.

To add other tools on an infected computer, the malware installs the Transmission BitTorrent client, which receives remote commands via the RPC interface on the default port. Access to the interface is restricted and the credentials (superman:krypton) are hardcoded.

“To install further software for the malware’s use, such as the SFTP server, the Launcher component makes an HTTP GET request to ‘%C&C%/softwareinfo?title=’ and receives a JSON response containing a magnet URI1 for the torrent to download and other information indicating how to install and execute the program” – ESET

All this functionality is the result of close to two years of development as the researchers were able to track the malware to December 2018. In the image below, they show how KryptoCibule evolved to what it is today.

Also read: 10 Best, Secured And Trusted Disposal Contractor In Singapore

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us