Kryptocibule ! New malware

Researchers have discovered a previously undocumented trojan malware family that spreads through malicious torrents and that uses multiple tricks to squeeze as many cryptocoins as possible from its victims while staying under the radar. ESET named the threat KryptoCibule,

This malware is a triple threat in regard to cryptocurrencies. It uses the victim’s resources to mine coins, tries to hijack transactions by replacing wallet addresses in the clipboard and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection. KryptoCibule makes extensive use of the Tor network and the BitTorrent protocol in its communication infrastructure.

“The malware, as written, employs some legitimate software. Some, such as Tor and the Transmission torrent client, are bundled with the installer; others are downloaded at runtime, including Apache httpd and the Buru SFTP server,” says Matthieu Faou, ESET Researcher who uncovered the new malware family.

Researchers identified multiple versions of KryptoCibule, enabling us to trace its evolution all the way back to December 2018; it remains active. New capabilities have regularly been added to the malware over its lifetime, and it is under constant development.

Most of the victims were in Czech Republic and Slovakia, and this reflects the user base of the site on which the infected torrents are found. Almost all the malicious torrents were available on uloz.to, a popular file sharing site in the two countries.

“KryptoCibule has three components that leverage infected hosts in order to obtain cryptocurrencies: cryptomining, clipboard hijacking and file exfiltration,” explains Faou. “Presumably the malware operators were able to earn more money by stealing wallets and mining cryptocurrencies than what we found in the wallets used by the clipboard hijacking component.

Lemon duck targets linux

The Lemon_Duck cryptomining malware was first spotted in June 2019 by researchers from Trend Micro while targeting enterprise networks. The threat was gaining access over the MS SQL service via brute-force attacks and leveraging the EternalBlue exploit.

Upon infecting a device, the malware delivers an XMRig Monero (XMR) miner.

The malware is being distributed via large-scale COVID-19-themed spam campaigns, the messages use an RTF exploit targeting the CVE-2017-8570 Microsoft Office RCE to deliver the malicious payload.

The authors of the Lemon_Duck cryptomining malware have also added a module that exploits the SMBGhost (CVE-2020-0796) Windows SMBv3 Client/Server RCE.

Experts noticed that the threat actors exploited the CVE-2020-0796 flaw to collect information on compromised machines instead of running arbitrary code on the vulnerable systems.

Lemon_Duck miner uses a port scanning module that searches for Internet-connected Linux systems listening on the 22 TCP port used for SSH Remote Login, then launches SSH brute force attacks.

The brute-force module performs port scanning to find machines listening on port 22/tcp (SSH Remote Login). When it finds them, it launches an SSH brute force attack on these machines, with the username root and a hardcoded list of passwords.If the attack is successful, the attackers download and execute malicious shellcode.

Then the Lemon_Duck malware attempts to gain persistence by adding a cron job and collects SSH authentication credentials from the /.ssh/known_hosts file in the attempt to infect more Linux devices across the network.

Upon infection, the Lemon_Duck attackers attempt to disable SMBv3 compression through the registry and block the standard SMB network ports of 445 & 135 to prevent other threat actors from exploiting the same vulnerability. It’s new form of cryptojacker. Getting sophisticated