Request a Demo
Rewterz
Rewterz Threat Alert – SharePoint and OneNote Being Used to Harvest Credentials
September 3, 2020
Rewterz
Rewterz Threat Advisory – CVE-2020-7724 – Node.js tiny-conf code execution
September 3, 2020

Rewterz Threat Alert – Multitasking multi-currency Cryptostealer KryptoCibule

Severity

High

Analysis Summary

Researchers have uncovered a hitherto undocumented malware family named KryptoCibule. This malware is a triple threat in regard to cryptocurrencies. It uses the victim’s resources to mine coins, tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection. KryptoCibule makes extensive use of the Tor network and the BitTorrent protocol in its communication infrastructure. The malware, written in C#, also employs some legitimate software. Some, such as Tor and the Transmission torrent client, are bundled with the installer; others are downloaded at runtime, including Apache httpd and the Buru SFTP server. An overview of the various components and their interactions. 

Figure-1-1.png

When the malware is first executed, the host is assigned a unique identifier with the format {adjective}-{noun} where {adjective} and {noun} are random words taken from two hardcoded lists which provide over 10 million unique combinations. This identifier is then used to identify the host in communications with the C&C servers.

On top of the crypto-related components, KryptoCibule also has RAT functionality. Among the commands it supports are EXEC, which allows execution of arbitrary commands and SHELL, which downloads a PowerShell script from the C&C.

Impact

  • Hijacking of transactions
  • Mining cryptocoins 

Indicators of Compromise

MD5

  • 47a12663fce9b7ad2238f768ba482f49
  • 3165d2f5d802226b0dd8d3ccc8336110
  • 734e9529c5ce8e30ec60331966adec76
  • 0dcf2f5fcfb39b0dce64466aa21de86b

SHA-256

  • 5ee586a836049b22a90d5cabf3c2a29a2626ce96c55397bf36cc9024a2e6b430
  • 04f3aa4152f3d9a0a9443c2adce00717a7ca4432bf9ced35aa9135ba8067714d
  • 7f6bf80aa9c35d0451686ff230f1887eea49104f6c3045f49e7c611086ecb22d
  • 2372fd1c07676012cc24beec860ea0f11987095fb1b4857549f7a8868cdea83f

SHA1

  • 0aca38e2ec0deae75511a42713f6bff3a17e82f1
  • 1d88dfaf3bdb3ca1aa570e2c096e897650659c04
  • 5505341e3185e3eadcbe3164eca616a0f86d8b5d
  • 83f9c10d41a32d74fcf0549739487cea90233ee2
  • 181c9fee9834eaee428edfd4048f383bdd6fed2a
  • e2c9750c5143ebd558de6987643e46adc5e56410
  • bee66472876b806fbc0a989b34813c0c06cedcb0
  • 6112aaa0a65b6d90adf7fd16cfd75e04ab81eb9c
  • a2d69583cfb8849c4852865fe43ceea55bd7e065
  • 8edee68b15e2f3c8484f18d34976c3506eaca30d
  • 8cc0c300739e6887358169e6b9939fb83362e17e
  • e61e1a0b6ad4648366554be2ed59cedbc6eee673
  • da402887cbd05cbe123eb6af437efcac2ba70555
  • e55ded5b9984bcb4a5e47cd14456d6e2fd051ce8
  • 88920fe8aacfe9102b00026524353d28d2ccf5e1
  • 341f8f2566b601e6825dc9e00fa3bee490ae4728
  • d9aa64d954a531074af5c167b7066edf989b49d8
  • 49d3fe31b87b14bef61a6029a644da3ddc81ae85
  • b37faec190634dd6774f749a5082f08a22862c73
  • 5a089236dd99e558cb1dca843792a6ba4a686c3a
  • 929e362eb857203155acd9526e6fa60339daa42f
  • 7563610da47ece49216e6d4f75ea3e2fcec4ce3e
  • 05d461259bddb6ad70ceb96a6a81746423eb5db4
  • c7b7b06e83680a0410f66bcccd3a500db466db42
  • 29b0df9e0f1afa5df39b9f3e6c2eda40aa8b1e5f
  • 8e7df84e1b4a23dddaa560739c4c71e7f7a1e4dd
  • 4cbad4710e68a96c954bce30b79f5f06252bcc6a
  • 0702832aa419bad315480370862ed5b9d5bd868f

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your enviroment.