KryptoCibule, a Windows malware triple threat for cryptocurrency users

[Charles-Tim]

I have just read about this malware today, it has been existing since 2018 but also under modification. According to the cybersecurity firm, KryptoCibule’s developers rely on the Tor network and BitTorrent protocol to coordinate the attacks. According to the company, KryptoCibule is aimed at cryptocurrency users, with the malware's main three features being to:

1. Install a cryptocurrency miner on victims' systems (specifically mining Monero)
2. Steal cryptocurrency wallet-related files (wallets can be compromized in this way, all coins can be stoked by the attacker)
3. Replace wallet addresses in the operating system's clipboard to hijack cryptocurrency payments.


The malware has been existing since 2018 and has also been in development.
https://www.zdnet.com/google-amp/article/new-kryptocibule-windows-malware-is-a-triple-threat-for-cryptocurrency-users/



How the malware attack:
More details: https://www.zdnet.com/google-amp/article/new-kryptocibule-windows-malware-is-a-triple-threat-for-cryptocurrency-users/



Advice:
I have noticed how this type of malware works is not new, it mines using someone's wallet device, it steals wallet files, and also can change recipient  address to attackers addresses. We can steal make use of the normal safety measure to protect ourselves from malware.

1. We should use antimalware, but this is just for in case purpose, very possible certain malware can be developed to bypass the antimalware. Also updating the antimalware is very important.

2. Not using our wallet devices for online purposes than using it for only sensitive purposes, like using it for making transactions, having our other accounts like exchange accounts on it. Using it for other purposes like downloading social files is highly dangerous.

3. Also, we should be mindful of the links we visit, any link can contain malware, even a safe and secure link can lead you to a malware link.

4. We should be mindful of pirated files.


Question
Do you people think we are in the era of using our wallet devices only for wallet purposes by not using it for social media and other online social-related related purposes (not to use it for any other purpose than wallet related)? I will like us to emphasize on this issue.

For beginners on the forum, this link can be helpful
How to secure crypto wallets
https://bitcointalk.org/index.php?topic=5235930.msg54107672#msg54107672

You can also read about the attack on cointelegraph.
https://cointelegraph.com/news/researchers-are-calling-this-new-malware-a-triple-threat-for-crypto-users

[Yogee]

Two years it stayed under the radar. It's just another testament that anti-virus are reactive. They are only effective against known threats but powerless against new malwares. We shouldn't rely heavily on these AV's for our online security.

4. We should be mindful of pirated files.

Don't just be mindful, don't install them. Some people knowingly install these pirated softwares since it's less costly or given for free.

Do you people think we are in the era of using our wallet devices only for wallet purposes by not using it for social media and other online social-related related purposes (not to use it for any other purpose than wallet related)?

I'm sorry but can you rephrase your question and make it more clear for us? I seriously have no idea what you mean here.

[Charles-Tim]

I'm sorry but can you rephrase your question and make it more clear for us? I seriously have no idea what you mean here.

I noticed crypto users in one way or the other unknowing install malware, that if they make use of the device for wallet purposes, trading and such related purpose only, it could have safe them from malware installation. That if another device is used for accessing social media, downloading files and other daily use will be better. Like me, I have two devices, one for accessing wallet, and the other for accessing social media, downloading files and for other daily use.

[Coyster]

That if another device is used for accessing social media, downloading files and others will be better. Like me, I have two devices, one for accessing wallet, and the other for accessing social media, downloading files and for other daily use.

For users who don't own a hardware wallet, then using two devices like you is also a good option. It's possible to have your wallets in one device though, and still use it for other online activities, without compromise, but it's really very worrisome, it will limit your online activities. You will definitely have to download things once in a while and one mistaken click/download can make you lose your funds. We're our own banks per se, so security is important, it's not paranoia as some users call it, there are thousands of malwares and phishing links floating around on the internet, so the safest thing to do is put your coins offline/cold storage. For newbies who can't get a hardware wallet and you have a device you want to convert for cold storage of your coins, follow this instructions if you use electrum for example:

Okay, here's the procedure to create a cold-storage mobile Electrum wallet:

• 1. Install Electrum on both devices, and create a standard wallet on the "cold storage" device, that will be your main wallet that contains all the keys and shouldn't be connected to the internet even once (a newly formatted device/new device is better).
  Make sure that the seed was saved in a physical backup like a piece of paper.
• 2. Click the wallet's name on top of the screen and click "Master Public key" twice to open the QR code.
• 3. On the online phone, create a new wallet using the option "Standard Wallet->Use a master key", then click the camera icon to scan the cold-storage wallet's QR code.
  This will create a watch-only wallet version of your cold-storage wallet.
• 4. Confirm if the address in the receive tab is the same.

Now to use those wallets:

• You just have to create a transaction using the online watch-only wallet using the send tab.
• Fill out the recipient, amount, etc. then, click pay (select if you want to opt-in RBF, yes) and click the QR code icon below.
• In the cold-storage wallet, go to send tab and click the camera icon on the right side and scan the other device's QR code.
• The transaction will be imported to the cold-storage wallet, now click option->sign (enter your pin) and it will be marked as "signed" above.
• Click the QR code icon, then scan this using your online watch-only wallet and the signed transaction will be imported and now you can use options->broadcast button to send it to the network.

If you're not familiar with Electrum's defaut bitcoin denomination, you can change it from mBTC to BTC in the settings->denomination.

[DdmrDdmr]

<…>

It would be interesting to have a largish survey (which discards Bitcointalk, due to low participation in surveys) on just how many people use a separate, more or less isolated and near-to dedicated device to manage their crypto. I don’t really think that is being done by a significant share, not even of Bitcointalk members, whom are likely more prone to being security aware than other population segments.

The propagation of this malware through torrents and the subsequently downloaded installation files is still a major (alleged) calculated risk. People tend to know that pirated software is potentially risky, but saving money on a game or utility often beats best practices, and calculated risks are really not calculated at all, but rather wished for alongside a finger crossing ritual...

[cryptomaniac_xxx]

It changes the game again, this is a multi purpose malware, not just crypto jacking, but it can be a clipboard replacing malware as well and then password stealer. If you are a crypto enthusiast from this countries: Czech Republic and Slovakia you better protect your wallets now. That's why as a precautions we really need to stay away from downloading any torrents for now. Or have a separate device for just your crypto wallets and not used it for other things like browsing just to be on the safe side.

[durilup]

In addition I would recommend to buy a external ssd where you can store there your wallets and also I would recommend to transfer crypto only in offline mode

[Eureka_07]

What is KryptoCibule?
KryptoCibule is a malware, specifically a trojan that evades antiviruses of it's victim's computer.  
Written in C#.
It uses Tor network and bitTorrent protocol extensively in it's communication infastructure.
It spreads through fake ZIP file installers for cracked and pirated games and software.  
It can download additional tools and updates once it runs to it's victim's computer.
This malware doesn't seem to have much attention from cybercurities.
KryptoCibule has low level of threat however due to it's continuous development, threat may arise.  Be careful!

How it attacks?
There are three(3) ways on how KryptoCibule uses it's victim's machine, these are the ff:

• Uses the victim's computer resources to mine coins
• Attempts to hijack transactions by replacing wallet addresses copied on the clipboard
• Steals crypto-related files

This attacks are the reason why they called KryptoCibule as triple threat in regard to cryptocurrency users.
This attacts are done while hiding itself from the radar of antiviruses using different techniques to avoid detection.

How it begins on the victim's machine?
Mostly, from the downloaded fake Zip File installers, these are five that are common to KryptoCibule installer archives:

• packed.001 (the malware)
• packed.002 (the installer)
• Setup.exe
• Setup.dll
• packed.dat

When Setup.exe is executed, it decodes both the malware and the expected installer files.
It then launches the malware – in the background – and the expected installer – front and center – giving the victim no indication that anything is amiss.

Who are the targets?
It mostly targets users from Czech Republic and Slovakia. Also, that is why they derived the name "KryptoCibule" from Czech and Slovak words "crypto" and "onion"
They get almost all of the files containing the malware KryptoCibule from a file sharing site in Czechia and Slovakia called uloz.to.


KryptoCibule Timeline (for much readability & in-text-form)
December 2018
-First known version
-Mines Mnero using XMR-ig
-Proxies communications through Tor
-Collects information about Host hardware, Ip and OS
January 2019
-Sends collected information to C&C in User-Agent
-Uses BitTorrent to download updates and additional software and to seed malicious torrents
-Adds capability to create a reverse shell
February 2019 (version 37)
-Can execute arbitrary commands from C&C
-Adds component that searches for files matching a list of names(keys and related to cryptocurrency)
-Installs BitviseSSH server for remote access to files
April 2020 (version 58)
- Adds clipboard hijackiing component
-CoinMiner is disabled
-Installs Buru SFTP server for remote acces to files
May 2020 (version 64)
-Re-enables CoinMiner
-Adds generic capability to install andget configuration for software
-Install Apache httpd webserver to use as forward proxy
June 2020 (version 70)
-Installs kawponminer to mine ethereum using host GPUs

Sources:
KryptoCibule: The multitasking multicurrency cryptostealer
Researchers are calling this new malware a triple threat for crypto users

All photos are taken from Welivesecurity by ESET
I converted the timeline from this image to text.

Didn't seen you already created a topic for this one, I used the search option to look for KryptoCibule post but find nothing that's why I'd proceed on creating the thread.
Decided to just lock the thread I created and just post it here.
Thanks @DdmrDdmr !

[NotATether]

Crippling this particular malware from working is easy, since it uses BitTorrent, just block BitTorrent port 6969 in your firewall, the port that connects to this thing called a tracker that find you IP addresses to download your files from. Then according to the release history in the post above mine, the malware can't update itself anymore because BitTorrent doesn't work. It also stops it from spreading to other computers, so it helps prevent other people from getting infected to. This doesn't disable KryptoCibule from running though, and obviously this fix will only help you if you never torrent any files.

Long elaboration about how your computer can get infected and destroyed in general follows.

1. We should use antimalware, but this is just for in case purpose, very possible certain malware can be developed to bypass the antimalware. Also updating the antimalware is very important.

In most cases, malware can already evade detection by consumer anti-virus programs.

By default, antiviruses are dumb, which means they can't detect malware until the malware is analyzed at their labs, a signature that identifies them is created by the antivirus company, and then pushed in an update. And a signature is not guaranteed to be made, especially if your AV is made by a niche company, because they have less security developers to analyze it. Think of all AV companies working independently, each one racing to make their own signature for the same malware, as quickly as possible. For legal reasons they can't share their teams and work together, and can't make signatures available to their fellow companies, and as a result of this you have each AV identifying the same malware using different heuristics, some of which are much less reliable than others. So there isn't even a way to positively identify a virus in a consistent manner, which would've convinced more users that the file they are trying to run is indeed malicious, since everyone would be talking about it and all the information about it would be available to every company.

Also, antiviruses only have the capability to quarantine the malware program itself. It can't stop a legitimate and clean program from downloading malicious files (especially in the case of Bittorrent because initially fills the files with empty data before it starts downloading), and it also can't stop a clean program that has been hijacked by a vulnerability from running malicious code, without terminating it and potentially losing your unsaved work. That's not something I'd call protection. What if the hijacked program is a system process like csrss.exe, and an AV terminates or quarantines it? Then the whole system will stop working.

Don't attach too much faith to antivirus updates, Sometimes, AV updates disable your computer entirely by accident with no way to fix it. It happened to Malwarebytes once when they pushed out an update for their AV. These updates are very rare, and are replaced in a matter of minutes, but they are also deadly. But there are more common ways for an antivirus to break your computer, and this applies to all AVs. Just update Windows to a new version and watch in horror as the incompatibilities between a new Windows update and the AV prevent the computer from booting. So then it turns out that, ironically, the antivirus, and not a virus, destroyed your computer.

This happens because Microsoft is not allowed to view the antivirus program's source code, being a trade secret, so they can test it for incompatibilities with Windows updates they make. Except for Windows Defender, because that's also made by Microsoft. Windows Defender is now better than what it used to be

I have been contemplating about writing a topic explaining how bad and ineffective antivirus programs are at stopping malware. They have so many false positives, that (according to bitcoin.org) even blockchain data is flagged as malicious by them. All the above is true for consumer AVs, I have no idea whether security suites designed for enterprises live up to their name or are just as bad as consumer AVs.

4. We should be mindful of pirated files.

I will try to explain this in simple terms. I visited places where pirated files are uploaded called public trackers. These sites get so many users per month, that almost all people who look for pirated stuff visit one of the public trackers. I am talking about The Pirate Bay and KickAssTorrents. Basically the only people who search for "<XYZ program> crack" or "watch <ABC movie> free" on Google are the ones who can't run BitTorrent because their ISP blocks it. And ever since Google removed piracy sites from it's search results back in 2012, a side effect of that is that fake piracy sites with malware on them are higher up in search results (some even buy ad slots on the top page), so the anti-piracy update made it more likely for you to get malware by searching on Google.

When someone wants to pirate some software or movie they go to the page on the public tracker about it, click on the magnet link and then it opens the torrent in their BitTorrent client where it grabs the stuff from other people downloading the same file. It does not fetch a "crack" or installer that downloads the software or movie, like the cracks that you might have seen some shady blogs distributing. It always directly downloads the pirated content. We call this pirated thing "genuine".

Then there are the fake pirated files that you see when you go to a shady blog. The way they look like is they have a homepage full of blog posts about recent software or movies that has been pirated, they have actually been pirated before by someone else but the download links are replaced by tiny Windows executable that install malware.

So pro-tip: I absolutely do not condone piracy, but if you see a Windows program that is really tiny, a few hundred kilobytes or 1 or 2 megabytes large, when you're looking for some pirated stuff to download, don't download it! By conventional rule, all pirated programs are distributed in .RAR files or really large Windows programs. And if you're looking for a movie or TV show, but you get a Windows program instead, that is definitely malware. You are supposed to directly receive the media file.

[Charles-Tim]

Don't attach too much faith to antivirus updates

You are right about this, you really explained this in a clearly. That is why it is very possible some malware would have acted and steal before antimalware companies will even do anything about it. That is why I like recommding the complete avoidance of malware. There are many safety measure we can completely avoid them. For example, it is good for someone not to use his wallet device for downloading any file than the apps he uses to operate his exchange account, wallet, banking and other related sensitive apps.

So pro-tip: I absolutely do not condone piracy, but if you see a Windows program that is really tiny, a few hundred kilobytes or 1 or 2 megabytes large, when you're looking for some pirated stuff to download, don't download it! By conventional rule, all pirated programs are distributed in .RAR files or really large Windows programs. And if you're looking for a movie or TV show, but you get a Windows program instead, that is definitely malware. You are supposed to directly receive the media file.

Truly, all these malware files are usually of small memory, this even aid them to easy become installed on victims devices, but about the issue of removing them before installation, it may be impossible for all/most malware. They are often installed unknowingly. Some malware are easily detected but many can not be detected. I will still recommend the old fashion way to just not use the device you use for wallet for downloading all this files even the legit files.

Although, after some malware are installed, some can still be deleted by experts, or by renaming them which will make them inactive and useless, but not all malware work this way. There are some malware now that are called fileless malware, they are used in a way no memory is used, the malware is still new and maybe under development which could later pose a threat to people.