ESET researchers have discovered several third-party add-ons for the popular open-source media player Kodi being used to distribute Linux and Windows cryptocurrency-mining malware
If you use Kodi, you may have noticed that a popular, Dutch repository for third-party add-ons, XvBMC, was recently shut down upon copyright-infringement warnings. Following the shutdown, we discovered that the repository was – likely unknowingly – part of a malicious cryptomining campaign going back to December 2017. It is the second publicly known case of malware being distributed at scale via Kodi add-ons, and the first publicly known cryptomining campaign launched via the Kodi platform. Interestingly, this campaign pushes Linux- or Windows-specific binaries to Kodi fans on those respective OSes.
For those unfamiliar with the Kodi platform, the popular media player software does not provide any content itself, but users can extend the software’s functionality by installing various add-ons, found both in the official Kodi repository and in numerous third-party repositories. Some third-party add-ons let users access pirated content, stirring controversy around Kodi.
Lately, the copyright-infringing add-ons have also been accused of exposing users to malware, but apart from an incident in which a DDoS module was added to a popular third-party Kodi add-on, no evidence of malware distributed via Kodi add-ons has been presented until now.
According to our research, the malware we found in the XvMBC repository was first added to the popular third-party add-on repositories Bubbles and Gaia (a fork of Bubbles), in December 2017 and January 2018, respectively. From these two sources, and through update routines of unsuspecting owners of other third-party add-on repositories and ready-made Kodi builds, the malware spread further across the Kodi ecosystem.
The malware has a multi-stage architecture and employs measures to ensure that its final payload – the cryptominer – cannot be easily traced back to the malicious add-on. The cryptominer runs on Windows and Linux and mines the cryptocurrency Monero (XMR). We have not seen a version in the wild that targets Android or macOS devices.
Victims of this campaign end up running the illicit cryptominer in one of three ways:
- They add the URL of a malicious repository to their Kodi installation so as to download some add-ons. The malicious add-on is then installed whenever they update their Kodi add-ons.
- They install a ready-made Kodi build that includes the URL of a malicious repository. The malicious add-on is then installed whenever they update their Kodi add-ons.
- They install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates. They are initially compromised, though receive no further updates to the malicious add-on. However, if the cryptominer is installed, it will persist and receive updates.
The top five countries affected by this threat, according to ESET’s telemetry, are the United States, Israel, Greece, the United Kingdom and the Netherlands, which is not surprising as all these countries are found on the list of “top traffic countries” in recent Unofficial Kodi Addon Community Stats. Other possible explanations for the geographical distributions are country-specific Kodi builds containing the malicious repositories, or malicious repositories with userbases in the countries in question, such as the aforementioned Dutch repository XvBMC.
As of this writing, the repositories from which the malware first started spreading are either defunct (Bubbles) or no longer serving the malicious code (Gaia), however, unwitting victims who have the cryptominer installed on their devices are likely still affected. On top of that, the malware is still present in other repositories and some ready-made Kodi builds, most likely without the knowledge of their authors.
How it works
After victims add the malicious repository to their Kodi installation, the malicious repository serves an add-on named script.module.simplejson – a name matching that of a legitimate add-on used by many other add-ons. However, while other repositories only have the script.module.simplejson add-on at version 3.4.0, the malicious repository serves this add-on with version number 3.4.1.
Since Kodi relies on version numbers for update detection, all users with the Auto Update feature enabled (which is a common default setting) will automatically receive script.module.simplejson version 3.4.1 from the malicious repository.
The only part of script.module.simplejson version 3.4.1 that is modified relative to version 3.4.0 is its metadata – the file addon.xml contains an additional <requires> line:
This tells Kodi to download and install an add-on named script.module.python.requests, at version 2.16.0 or above. The script.module.python.requests add-on is served by the malicious repository only. It is a modification of the legitimate add-on script.module.requests, containing additional, malicious Python code.
That Python code downloads, as appropriate, a Windows or Linux binary, and executes it. This executable is a downloader that fetches and executes the final payload, an executable cryptominer. If the installation of the cryptominer is successful, the malicious Python code proceeds to a self-removal phase and deletes itself.
In the sample analyzed here, the obfuscated malicious code is located in the file script.module.python.requestslibrequestspackagesurllib3connectionpool.py, lines 846-862.
When deobfuscated and commented, the code becomes much more readable, as seen in Figure 5.
It is clear that the code is written by someone with a good knowledge of Kodi and its add-on architecture. The script detects which OS it is running on (only Windows and Linux are supported; Android and macOS are ignored), connects to its C&C server, and downloads and executes an OS-appropriate binary downloader module.
The Windows binary is written to
C:Users[username]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupTrustedInstaller.exe, while the Linux binary is written to /tmp/systems/systemd
After retrieving and running the binary downloader module, the Python script – here connectionpool.py – runs its self-deletion routine. Looking back at Figure 4, we see that the malicious code is bracketed with the special markers #-+- and #-_-#. The code run after successful execution of the binary downloader opens this Python file, finds these special markers and deletes them, and everything between them. The cleaned Python file is then saved. As a result, the cryptominer installation cannot be easily traced back to this Kodi add-on.
The downloader module (64-bit EXE for Windows, 64-bit ELF file for Linux) retrieved by the Python code contains an encrypted cryptominer configuration and download links for the second-stage payload – the actual cryptominer binaries.
The binary downloaders fetch OS-appropriate second-stage payloads (cryptominer binaries for different GPUs and a malicious launcher/updater module) in password-protected ZIP files. These binaries are compiled for both 64-bit Windows and 64-bit Linux and are based on the open-source cryptomining software XMRStak.
The configuration for the cryptominer is as follows:
Has my device been compromised? How do I clean it?
If you’re using Kodi on a Windows or Linux device and have installed add-ons from third-party repositories, or a ready-made Kodi build, there’s a chance you’ve been affected by this cryptomining campaign.
To check if your device has been compromised, scan it with a reliable anti-malware solution. ESET products detect and block these threats as Win64/CoinMiner.II and Win64/CoinMiner.MK on Windows and Linux/CoinMiner.BC, Linux/CoinMiner.BJ, Linux/CoinMiner.BK, and Linux/CoinMiner.CU on Linux. On Windows you can use ESET’s Free Online Scanner, and on Linux the free trial of ESET NOD32 Antivirus for Linux Desktop, to check your computer for the presence of these threats and remove anything that is detected. Existing ESET customers are protected automatically.
Although the main add-on repositories that initially seeded this malware into the Kodi ecosystem are now either closed or cleaned, that does not address the many devices that had already run the malicious add-ons. As can be seen in Figure 7, many devices are still mining Monero for the cybercriminals behind this campaign.
According to these statistics of the malware authors’ Monero wallet, provided by Nanopool, a minimum of 4774 victims are affected by the malware at the time of writing, and have generated 62,57 XMR (about 5700 EUR or 6700 USD) as of this writing.
Aside from being the second malware, and first cryptominer, distributed though the popular media player Kodi, this malware campaign employed an interesting compromise technique. By utilizing the complex scripting functionality of Kodi’s add-ons, which works across the OSes Kodi supports – Android, Linux, macOS and Windows – the cybercriminals behind this campaign easily targeted Kodi on Linux and Windows.
Cunning as that was though, they may have been able to target devices on more OSes. By building native versions of their cryptominer for those OSes, or providing alternative payloads more suited to the platform (for example, less power-intensive payloads for battery-powered devices), they could have compromised more of the OSes that Kodi supports. As OS security measures continue to tighten, opportunities afforded by application add-on and scripting functionalities, such as those that were exploited here, seem likely to become more popular targets with cybercriminals. We have seen this in the past, and then recycled more recently, with Visual Basic macros in Microsoft Office applications. Kodi add-ons might not be “the next VBA”, but the steps taken here may be an indication of things to come.
Indicators of Compromise (IoCs)
Malicious Kodi add-ons
Since the original repositories containing malicious add-ons (Bubbles and Gaia) are already deleted, we are providing example links to mirror repositories that still contain malicious code, and example links to a few randomly chosen, malicious Kodi builds.
It is important to note that the owners of the secondary sources of malicious files, below, are most likely spreading them unknowingly.
|Example mirror of Bubbles|
|Example mirror of Gaia|
|Malicious files previously available on XvBMC repository|
|Sampling of malicious Kodi builds|
|Downloader module (Windows)|
|Downloader module (Linux)|
|Cryptominer binaries (Windows)|
|Cryptominer binaries (Linux)|
|Hashes of malicious add-ons|
ESET detects the malicious Python code as Python/CoinMiner.W.
|Hashes of cryptominers and downloader modules (Windows)|
ESET detects both cryptominer and downloader modules as Win64/CoinMiner.II and/or Win64/CoinMiner.MK. Our telemetry shows more than 100 distinct hashes for the detection names.
|Hashes of cryptominers and downloader modules (Linux)|
ESET detects Linux version of the cryptominer and downloader modules as Linux/CoinMiner.BC, Linux/CoinMiner.BJ, Linux/CoinMiner.BK, and Linux/CoinMiner.CU.
“Great post. I was checking constantly this weblog and I am inspired!
Extremely useful information specially the ultimate section 🙂 I deal with such information a lot.
I was looking for this particular info for a long time.
Thanks and best of luck.”
There are certainly a lot of details like that to take into consideration. That is a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing will be working in honest good faith. I don?t know if best practices have emerged around things like that, but I am sure that your job is clearly identified as a fair game. Both boys and girls feel the impact of just a moment’s pleasure, for the rest of their lives.
you are truly a just right webmaster. The web site loading velocity is amazing. It sort of feels that you are doing any distinctive trick. Furthermore, The contents are masterwork. you have done a great process on this subject!
Fine way of describing, and pleasant piece of writing to get information concerning my presentation subject
Thanks for every other informative web site. Where else may just I am getting that kind of information written in such an ideal way? I’ve a undertaking that I’m simply now running on, and I’ve been at the look out for such info
I really appreciate this post. I have been looking all over for this! Thank goodness I found it on Bing. You have made my day! Thx again!
Attractive section of content. I just stumbled upon your site
and in accession capital to assert that I get in fact enjoyed account your blog
posts. Any way I’ll be subscribing to your feeds and even I achievement you access consistently
“Hello There. I found your blog using msn. This is
an extremely well written article. I’ll make sure to bookmark it and come back to read more of your useful info.
Thanks for the post. I will certainly return.”
I really appreciate this post. I¡¦ve been looking all over for this! Thank goodness I found it on Bing. You have made my day! Thank you again
I know this if off topic but I’m looking into starting my own weblog and was wondering what
all is needed to get set up? I’m assuming having a blog
like yours would cost a pretty penny? I’m not very internet smart so I’m
not 100% positive. Any suggestions or advice would be greatly appreciated.
I’m so happy to read this. This is the kind of manual that needs to be given and not the accidental misinformation that is at the other blogs. Appreciate your sharing this greatest doc.
you are actually a good webmaster. The website loading velocity is amazing. It seems that you are doing any distinctive trick. In addition, The contents are masterpiece. you’ve done a excellent process on this subject!
I have been surfing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. In my opinion, if all web owners and bloggers made good content as you did, the internet will be much more useful than ever before
Hiya, I am really glad I have found this info. Nowadays bloggers publish just about gossips and internet and this is actually irritating. A good site with interesting content, this is what I need. Thank you for keeping this web site, I’ll be visiting it. Do you do newsletters? Can not find it
“I’ve learn several just right stuff here. Certainly value bookmarking for revisiting.
I wonder how so much effort you put to create such a magnificent informative site.”
By now all of us a acquainted with Bakugan battle brawler games and its anime series.
However, they only last for 24 hours before you must send new
Facebook requests to add them again. Nevertheless, this set is far better for those
who already have other sets and not for these who are just starting up
“Great information. Lucky me I discovered your site by accident (stumbleupon).
I have saved it for later!”
“I visited multiple sites however the audio quality for audio songs present at
this website is really fabulous.”
“This is very interesting, You’re a very skilled blogger.
I have joined your feed and look forward to seeking more of your fantastic post.
Also, I’ve shared your web site in my social networks!”
I keep listening to the news update speak about getting free online grant applications so I have been looking around for the best site to get one. Could you advise me please, where could i acquire some?
“These are actually wonderful ideas in regarding blogging.
You have touched some fastidious factors here. Any way keep up wrinting.”
hello!,I like your writing very much! percentage we be in contact extra about your post on AOL? I require a specialist on this area to solve my problem. Maybe that’s you! Having a look forward to peer you.
I wanted to thank you for this fantastic read!! I definitely enjoyed every bit of it. I’ve got you bookmarked to look at new stuff you
I was just looking for this info for a while. After 6 hours of continuous Googleing, finally I got it in your web site. I wonder what’s the lack of Google strategy that do not rank this type of informative websites in top of the list. Generally the top web sites are full of garbage.
We simply want to advise you in which I’m really novice to writing and utterly adored your review. Very likely I am most likely to remember your blog post . You absolutely have great article posts. Appreciate it for giving out with us your internet write-up.
Helpful information. Lucky me I discovered your website by accident, and I’m stunned why this accident didn’t happened in advance I bookmarked it.
Great beat ! I wish to apprentice while you amend your site, how can i subscribe for a blog website? The account helped me a acceptable deal.
I love what you guys are usually up too. This sort of clever work and reporting! Keep up the excellent works guys I’ve added you guys to my personal blogroll.
Do you have a spam problem on this blog; I also am a blogger, and I was wanting to know your situation; many of us have created some nice procedures and we are looking to exchange strategies with other folks, be sure to shoot me an email if interested.
This is a topic that is close to my heart… Take care!
Exactly where are your contact details though?
It’s a shame you don’t have a donate button! I’d most certainly donate to this excellent blog! I suppose for now i’ll settle for book-marking and adding your RSS feed to my Google account. I look forward to new updates and will talk about this blog with my Facebook group. Talk soon
“Please let me know if you’re looking for a writer for your blog.
You have some really great articles and I believe I would be a
good asset. If you ever want to take some of the load off, I’d really like
to write some articles for your blog in exchange for a link back to mine.”
“This design is spectacular! You most certainly know how to
keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Fantastic job.
I really enjoyed what you had to say, and more than that, how you presented it.
I am really grateful to the holder of this web site who has shared this fantastic post at at this time
“Thank you for the auspicious writeup. It in fact was a amusement account it.
Look advanced to more added agreeable from you! However, how could we communicate?”
“Hi! I could have sworn I’ve been to this website before but after browsing
through some of the post I realized it’s new to me. Nonetheless,
I’m definitely delighted I found it and I’ll be bookmarking and checking back often!”
“After exploring a handful of the blog articles on your site, I honestly
appreciate your way of writing a blog. I book
marked it to my bookmark website list and will be checking back soon”
I did a vegan post last week (not sure if you saw it or not, so apologies if you did and saw it)! This is so cute! I had a pi day post planned but thought (duhhh!!) it was tomorrow so it will come tomorrow!x
“First off I want to say awesome blog! I had a quick question that I’d like to
ask if you don’t mind. I was interested to know how you center yourself and clear
your head before writing. I’ve had a hard time clearing my
thoughts in getting my thoughts out. I do take pleasure in writing but it just
seems like the first 10 to 15 minutes are generally
lost simply just trying to figure out how to begin. Any recommendations or tips?
your article is nice and very informative.I dont understand how commenting is helpful for trafic increasing and backlink building but recently my blog got benifit from commenting and now i realise.Thank you very much.
Spot on with this write-up, I truly think this website needs far more attention. I’ll probably be returning to see more, thanks for the information.
I got this website from my pal who told me concerning this website and at the moment this time I am browsing this web site and reading very informative articles at this place.