KryptoCibule malware uses Tor & Torrent sites to steal your cryptocurrency

The KryptoCibule malware also mines cryptocurrency on targeted devices.
KryptoCibule malware uses Tor & Torrent sites to steal your cryptocurrency

The malware also mines Monero & Ethereum cryptocurrency on targeted devices. 

We’re seeing new variants of malware being deployed every day. just yesterday we covered a skimmer funneling funds through Telegram and today we’re back with a new report by WeLiveSecurity.

Shedding light on a new malware family named KryptoCibule; the researchers report on 3 main tasks that it seeks to perform:

  1. Mining Monero and Ethereum cryptocurrencies using a CPU and GPU respectively
  2. Stealing funds by replacing legitimate wallet addresses with attacker-controlled ones with the help of the clipboard
  3. Steal and extract cryptocurrency-related files

See: Best legal, safe & free online streaming sites – 2020

Alongside this, a remote administration tool (RAT) is also used to maintain access to the victim’s machine in order to control it. Furthermore, both the TOR Network and BitTorrent protocol is used for transmitting data and communication in general. This is yet another example of how legitimate services can be used by attackers for their own nefarious motives.

However, to date, only $1800 were found in the attacker held wallets which makes it look like not so lucrative, at least for the present time being. There may be more nonetheless considering that WeLiveSecurity does not have a full view of all of the stolen amounts.


How the attackers spread the malware is through torrents on ulozto which is a file-sharing site found in Czechia and Slovakia. This is perhaps one reason that the majority of infections were found in both of these countries respectively at 40.58% for the former and 46.95% for the latter.

Elaborating more on this, the researchers wrote in a blog post that:

Victims are also used to seed both the torrents used by the malware and the malicious torrents that help spread it. Infected hosts get a list of magnet URIs from %C&C%/magnets, download them all and keep seeding them. This ensures that these files are widely available for others to download, which helps speed up the downloads and provides redundancy.

To conclude, surprisingly, this is not the first time that this malware has been spotted even though it may seem to be in the spotlight now. According to the researchers, the very first version could be found back in December 2018 which only mined Monero – a great example of how malware evolves over time as shown in the photo below:

For the future, we can expect it to continue developing and even go on to attack users from other countries actively. Therefore, readers are advised to make sure that they do not download files from untrusted sources and also scan every downloaded file to protect against all types of malware.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

1 comment

Comments are closed.

Related Posts