Users of torrent trackers may be left without personal savings when downloading pirated content from the Internet.

 

Torrent users are forced to pay for content with cryptocurrency

By

 

cnews.ru

5 min

View Original

Not a free download at all

Eset told CNews that it has discovered a new Trojan called KryptoCibule (its name is made up of the Czech words "crypto" and "bow"), which poses a triple threat against cryptocurrencies. According to ESET, the criminals have already managed to get about $ 1800 in

Bitcoin and Ethereum only by spoofing the victim's wallet data.

85% of KryptoCibule attacks target residents of the Czech Republic and Slovakia. Users of the uloz.to file hosting site, popular in the Czech Republic and Slovakia, became the victims of this malicious Trojan.

The virus uses the victim's resources for cryptomining, tries to intercept transactions by replacing wallet addresses in the clipboard, and as a result, files related to cryptocurrency are leaked. And all this is happening at the same time. KryptoCibule makes extensive use of Tor (onion routing software) and BitTorrent (network protocol for cooperative file sharing over the Internet) in its communications infrastructure.

In response to a CNews request, the Eset press service explained that the malware's configuration file configures onion services (services of the Tor network on the darknet) on the infected host, which are available to operators via Tor. The latest versions of KryptoCibule use XMRig, an open source program that mines Monero with a CPU (central processing unit), as well as kawpowminer, another open source program that mines Ethereum with a GPU (graphics processing unit). , graphics processor).

New KryptoCibule Trojan Combines Torrent, Tor and Cryptocurrency Technologies

The malware checks the battery level of the user's device and stops cryptomining if it drops to 30%. This avoids the suspicion of the victim and prevents detection.

Another KryptoCibule component uses the AddClipboardFormatListener function to track changes to the clipboard. The purpose of the malware is to find the victim's cryptocurrency wallet data in the clipboard and replace it with the attacker's cryptocurrency wallet data.

Следующий компонент изучает файловую систему зараженного устройства и ищет файлы по заданным критериям: "wallet.dat", "utc--2014", "utc--2015", "utc--2016", "utc--2017", "utc--2018", "utc--2019", "utc--2020", ".address.txt", "electrum", "bitcoin", "litecoin", "ethereum", "cardano", "zcash", "monero", "cripto", "krypto", "binance", "tradeogre", "coinbase", "tether", "daedalus", "stellar", "tezos", "chainlink", "blockchain", "verge", "bittrex", "ontology", "vechain", "doge", "qtum", "augur", "omisego", "digibyte", "seele", "enjin", "steem", "bytecoin", "zilliqa", "zcoin", "miner", "xmrig", "xmr-stak","electroneum", "heslo", "waves", "banka", "crypto", "hesla", "seed", "metamask", "antminer", "trezor", "ledger", "private", "trx", "exodus", "password", "jaxx", "guarda", "atomic.exe", "copay.exe", "Green Address Wallet.exe", "msigna.exe", "ArmoryQT.exe", ".ssh", ".aws", "Desktop".

Most of these words in one way or another relate to cryptocurrency, banks, accounts, passwords, etc. The list also contains terms that can lead an attacker to important files, including keys .ssh, .aws. All this allows an attacker to extract the necessary data and use it to their advantage.

KryptoCibule installs a legitimate Apache server that is configured to run in proxy mode without any restrictions and is available as an onion service on port 9999. TCP port 9999 uses the Transmission Control Protocol (TCP), which is one of the main protocols in TCP / IP networks.

The malware is written in C #. She also uses some licensed software. For example, Tor and Transmission torrent client come bundled with the installer. Other software is loaded at runtime, including the Apache HTTP Server and Buru SFTP Server.

Eset specialists discovered several versions of this malicious program, which made it possible to trace its evolution to December 2018.

How it all begins

When a malicious program is launched for the first time, the host is assigned a unique identifier in the format - {noun}, ("adjective", "noun"). It uses random words taken from two hard-coded lists that provide over 10 million unique combinations. This identifier is then used to identify the host when communicating with the C&C servers (command & control, centralized machines that can send commands to and receive feedback from computers from the botnet).

In addition to components related to cryptocurrency, the malware has a remote administrate tool. Among the commands it supports are EXEC (executive), which allows arbitrary commands to be executed, and SHELL (powershell), which loads a PowerShell script (Microsoft's extensible open source automation tool) from C&C. This script then downloads a backdoor (malicious algorithm) generated by the post-exploitation tool Pupy. Pupy is an open source cross-platform ( Windows , Linux , OSX, Android) remote administration and post-exploitation tool written mainly in python.

KryptoCibule is distributed via a torrent with an infected ZIP archive containing pirated content. Moreover, five files are common to all archives of the KryptoCibule installer: packed.001 - malicious program; packed.002 is the installer for the expected software. Both are XOR encrypted using the keys contained in Setup.exe. The XOR encryption algorithm consists in "imposing" a sequence of random numbers on the text that needs to be encrypted.

When Setup.exe is clicked, both malware and expected installer files are decoded. The malware then runs in the background and the software installer runs normally. As a result, the victim, without having time to recover, installs a virus on his computer.

Such situations recur from time to time.

The press service of Eset notes that this is not the first time that a malicious program has entered a user's device along with a pirated file downloaded from a torrent tracker. This is a fairly popular way of spreading malware on the network. Moreover, malware is constantly improving, their capabilities are growing, they are better and better hiding from detection. That is why it is important to make such events public, regardless of which state's users were most threatened at a particular point in time.

CNews has already written about the surge in activity of the Mekotio Trojan, aimed at stealing cryptocurrencies.

This malware also stole cryptocurrency from users. Mekotio features typical backdoor functions: taking screenshots, rebooting infected devices, restricting access to legitimate banking websites, stealing credentials from Google Chrome and bitcoins. The malware uses a C&C server and SQL databases.

Mekotio is also able to access the user's system settings, information about Windows OS, firewall configuration, list of installed antivirus solutions. With one of the commands, Mekotio even tries to destroy all files on the victim's device by deleting all files and folders from the C: \ Windows tree.

Просмотры: