• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – SharePoint and OneNote Being Used to Harvest Credentials
September 3, 2020
Rewterz Threat Advisory – CVE-2020-7724 – Node.js tiny-conf code execution
September 3, 2020

Rewterz Threat Alert – Multitasking multi-currency Cryptostealer KryptoCibule

September 3, 2020

Severity

High

Analysis Summary

Researchers have uncovered a hitherto undocumented malware family named KryptoCibule. This malware is a triple threat in regard to cryptocurrencies. It uses the victim’s resources to mine coins, tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection. KryptoCibule makes extensive use of the Tor network and the BitTorrent protocol in its communication infrastructure. The malware, written in C#, also employs some legitimate software. Some, such as Tor and the Transmission torrent client, are bundled with the installer; others are downloaded at runtime, including Apache httpd and the Buru SFTP server. An overview of the various components and their interactions. 

Figure-1-1.png

When the malware is first executed, the host is assigned a unique identifier with the format {adjective}-{noun} where {adjective} and {noun} are random words taken from two hardcoded lists which provide over 10 million unique combinations. This identifier is then used to identify the host in communications with the C&C servers.

On top of the crypto-related components, KryptoCibule also has RAT functionality. Among the commands it supports are EXEC, which allows execution of arbitrary commands and SHELL, which downloads a PowerShell script from the C&C.

Impact

  • Hijacking of transactions
  • Mining cryptocoins 

Indicators of Compromise

MD5

  • 47a12663fce9b7ad2238f768ba482f49
  • 3165d2f5d802226b0dd8d3ccc8336110
  • 734e9529c5ce8e30ec60331966adec76
  • 0dcf2f5fcfb39b0dce64466aa21de86b

SHA-256

  • 5ee586a836049b22a90d5cabf3c2a29a2626ce96c55397bf36cc9024a2e6b430
  • 04f3aa4152f3d9a0a9443c2adce00717a7ca4432bf9ced35aa9135ba8067714d
  • 7f6bf80aa9c35d0451686ff230f1887eea49104f6c3045f49e7c611086ecb22d
  • 2372fd1c07676012cc24beec860ea0f11987095fb1b4857549f7a8868cdea83f

SHA1

  • 0aca38e2ec0deae75511a42713f6bff3a17e82f1
  • 1d88dfaf3bdb3ca1aa570e2c096e897650659c04
  • 5505341e3185e3eadcbe3164eca616a0f86d8b5d
  • 83f9c10d41a32d74fcf0549739487cea90233ee2
  • 181c9fee9834eaee428edfd4048f383bdd6fed2a
  • e2c9750c5143ebd558de6987643e46adc5e56410
  • bee66472876b806fbc0a989b34813c0c06cedcb0
  • 6112aaa0a65b6d90adf7fd16cfd75e04ab81eb9c
  • a2d69583cfb8849c4852865fe43ceea55bd7e065
  • 8edee68b15e2f3c8484f18d34976c3506eaca30d
  • 8cc0c300739e6887358169e6b9939fb83362e17e
  • e61e1a0b6ad4648366554be2ed59cedbc6eee673
  • da402887cbd05cbe123eb6af437efcac2ba70555
  • e55ded5b9984bcb4a5e47cd14456d6e2fd051ce8
  • 88920fe8aacfe9102b00026524353d28d2ccf5e1
  • 341f8f2566b601e6825dc9e00fa3bee490ae4728
  • d9aa64d954a531074af5c167b7066edf989b49d8
  • 49d3fe31b87b14bef61a6029a644da3ddc81ae85
  • b37faec190634dd6774f749a5082f08a22862c73
  • 5a089236dd99e558cb1dca843792a6ba4a686c3a
  • 929e362eb857203155acd9526e6fa60339daa42f
  • 7563610da47ece49216e6d4f75ea3e2fcec4ce3e
  • 05d461259bddb6ad70ceb96a6a81746423eb5db4
  • c7b7b06e83680a0410f66bcccd3a500db466db42
  • 29b0df9e0f1afa5df39b9f3e6c2eda40aa8b1e5f
  • 8e7df84e1b4a23dddaa560739c4c71e7f7a1e4dd
  • 4cbad4710e68a96c954bce30b79f5f06252bcc6a
  • 0702832aa419bad315480370862ed5b9d5bd868f

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your enviroment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.