The newly discovered family of Trojan horses did not get the name KryproCibule by chance. It is derived from the communication protocol Tor, which is an acronym for The Onion Router.
“Because a large part of the victims are from the Czech Republic and Slovakia, a local translation of the word onion was used,” explained Miroslav Dvořák, technical director of the Czech branch of Eset.
As funny as the name of these uninvited computer visitors may sound, they can do a lot of trouble on an infected machine – they pose a triple threat to users.
“It exploits the victim’s cryptocurrency resources for the benefit of the attacker, attempts to redirect financial transactions by changing the address of the cryptocurrency while copying this text, and also attempts to steal files related to cryptocurrencies, passwords and banks. All this using various techniques that help malicious code to hide from detection. KryptoCibule uses the Tor network and also the BitTorrent protocol in its communication infrastructure, “said Dvořák.
It also abuses legitimate programs
According to him, this legitimate code is also misused by several legitimate programs. “Its installer is bundled with the Tor installation package and the torrent client, for example,” the security expert explained.
The KryptoCibule hides from detection, for example, in such a way that it does not mine cryptocurrency on the infected device if the state of its battery is below 10 percent. “In addition, it verifies on the victim’s device whether any of the local security companies’ Eset, Avast or AVG solutions are on it. If such a program is found, the component used for the extraction of cryptocurrencies will not be installed in the facility, “Dvořák said.
KryptoCibule spreads primarily through malicious torrents to help users download illegal versions of programs and games. However, it is also possible to come across this malicious one on servers for easy data sharing. For example, Eset security experts captured it on the Uloz.to server.
|Torrents and attacks KryptoCibule|
Torrent is an Internet protocol that helps in downloading various files. The user who downloads the file also makes it available for download to others who are interested in the file. The victim is thus unknowingly infected with the malicious code KryptoCibule and at the same time spreads it through torrents.
Most victims are in the Czech Republic
Most often, a new family of Trojans attacked in the country and in our eastern neighbors, as most of the victims come from the Czech Republic (47%) and Slovakia (41%).
Although security experts have only recently discovered KyberCibuli, this family of Trojans has been used by hackers since at least December 2018. Since then, new features have been added to the malicious code, and the Trojan is still active.
“Users can avoid malicious KryptoCibule code and similar threats by using quality security software as well as by downloading and purchasing computer programs and games only from official sources,” the security expert concluded.
Bitcoins and other virtual currencies
There are many virtual currencies. One of the oldest and currently the most popular are the so-called bitcoins. They were created in 2009, but have enjoyed greater popularity in recent years. This currency was designed so that it could not be influenced by any government or central bank.
Cyber coins are “minting” a network of computers with specialized software programmed to release new coins at a steady but declining pace. The number of coins in circulation is expected to reach 21 million in the end, which is to be around 2140.