The cybercrime industry is just as vibrant as ever, as it seems like a week can hardly go by without some update or another. In the latest scare for cryptocurrency owners, tech giant Microsoft recently sent out a warning concerning a new malware strain.
In a tweet posted last month, Microsoft Security Intelligence (MSI) warned crypto users who use its ubiquitous operating system about a new malware could threaten their digital wallets.
A new info-stealing malware we first saw being sold in the cybercriminal underground in June is now actively distributed in the wild. The malware is called Anubis and uses code forked from Loki malware to steal system info, credentials, credit card details, cryptocurrency wallets pic.twitter.com/2Q58gpSIs0
— Microsoft Security Intelligence (@MsftSecIntel) August 26, 2020
The tweet drew attention to Anubis, a new malware strain that Microsoft believes to have been forked from an older software called Loki. Per the tech giant’s tweet, Anubis steals credit card details, digital wallet credentials, and other valuable financial information from users.
Like several other malware variants, Anubis spreads primarily through phony websites. Once it infects a computer, it scours files for any valuable information and sends them over to the hackers via an HTTP POST command.
Microsoft explained that it first came across Anubis in June. The malware shares the same name with a Trojan horse malware spreading across Android devices for months. The company stressed that the new threat is manageable, as it only appears to have propagated through limited, targeted campaigns. However, it also emphasized that users beware of suspicious websites and email links that they receive.
KryptoCibule and Its Multifaceted Operation
While Microsoft is bringing attention to a novel malware strain, researchers have also found an old threat resurfacing. Last week, notable cybersecurity firm ESET revealed that they had seen some activity from KryptoCibule, a crypto-malware that has been around for a while.
ESET’s report explained that it had found the first iteration of KryptoCibule in December 2018. At the time, it operated as a mining utility for privacy-focused asset Monero. KryptoCibule quietly harvested users’ system access and used that to mine the asset, thus sending them to the hacker’s wallets.
Last February, the asset evolved and incorporated a wallet exfiltration method that harvested victims’ entire crypto wallets from their devices. However, the current version launches a multiple-pronged attack on users. In addition to the Monero mining and wallet theft, it has incorporated kawpowminer, an Ethereum miner, into its system. The malware can also replace copy-pasted wallet addresses. This way, it can hijack users’ digital assets directly.
ESET added that victims have been downloading KryptoCibule through torrent files on a platform known as Uloz. Most victims appear to be in Slovakia and the Czech Republic, although the malware doesn’t seem to have gotten many downloads.
“Presumably, the malware operators were able to earn more money by stealing wallets and mining cryptocurrencies than what we found in the wallets used by the clipboard hijacking component. The revenue generated by that component alone does not seem enough to justify the development effort observed.”
With different malware variants prowling about and lying in wait, crypto investors now have to be more careful than ever.