Cyber Security

Kodi add-ons launch cryptomining campaign

ESET researchers have discovered several third-party add-ons for the popular open-source media player Kodi being used to distribute Linux and Windows cryptocurrency-mining malware

If you use Kodi, you may have noticed that a popular, Dutch repository for third-party add-ons, XvBMC, was recently shut down upon copyright-infringement warnings. Following the shutdown, we discovered that the repository was – likely unknowingly – part of a malicious cryptomining campaign going back to December 2017. It is the second publicly known case of malware being distributed at scale via Kodi add-ons, and the first publicly known cryptomining campaign launched via the Kodi platform. Interestingly, this campaign pushes Linux- or Windows-specific binaries to Kodi fans on those respective OSes.

For those unfamiliar with the Kodi platform, the popular media player software does not provide any content itself, but users can extend the software’s functionality by installing various add-ons, found both in the official Kodi repository and in numerous third-party repositories. Some third-party add-ons let users access pirated content, stirring controversy around Kodi.

Lately, the copyright-infringing add-ons have also been accused of exposing users to malware, but apart from an incident in which a DDoS module was added to a popular third-party Kodi add-on, no evidence of malware distributed via Kodi add-ons has been presented until now.

The campaign

According to our research, the malware we found in the XvMBC repository was first added to the popular third-party add-on repositories Bubbles and Gaia (a fork of Bubbles), in December 2017 and January 2018, respectively. From these two sources, and through update routines of unsuspecting owners of other third-party add-on repositories and ready-made Kodi builds, the malware spread further across the Kodi ecosystem.

The malware has a multi-stage architecture and employs measures to ensure that its final payload – the cryptominer – cannot be easily traced back to the malicious add-on. The cryptominer runs on Windows and Linux and mines the cryptocurrency Monero (XMR). We have not seen a version in the wild that targets Android or macOS devices.

Victims of this campaign end up running the illicit cryptominer in one of three ways:

  1. They add the URL of a malicious repository to their Kodi installation so as to download some add-ons. The malicious add-on is then installed whenever they update their Kodi add-ons.
  2. They install a ready-made Kodi build that includes the URL of a malicious repository. The malicious add-on is then installed whenever they update their Kodi add-ons.
  3. They install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates. They are initially compromised, though receive no further updates to the malicious add-on. However, if the cryptominer is installed, it will persist and receive updates.

The top five countries affected by this threat, according to ESET’s telemetry, are the United States, Israel, Greece, the United Kingdom and the Netherlands, which is not surprising as all these countries are found on the list of “top traffic countries” in recent Unofficial Kodi Addon Community Stats. Other possible explanations for the geographical distributions are country-specific Kodi builds containing the malicious repositories, or malicious repositories with userbases in the countries in question, such as the aforementioned Dutch repository XvBMC.

Figure 1 – Distribution of ESET detections of the cryptominer

As of this writing, the repositories from which the malware first started spreading are either defunct (Bubbles) or no longer serving the malicious code (Gaia), however, unwitting victims who have the cryptominer installed on their devices are likely still affected. On top of that, the malware is still present in other repositories and some ready-made Kodi builds, most likely without the knowledge of their authors.

Figure 2 – Campaign timeline

Technical analysis

How it works

After victims add the malicious repository to their Kodi installation, the malicious repository serves an add-on named script.module.simplejson – a name matching that of a legitimate add-on used by many other add-ons.  However, while other repositories only have the script.module.simplejson add-on at version 3.4.0, the malicious repository serves this add-on with version number 3.4.1.

Since Kodi relies on version numbers for update detection, all users with the Auto Update feature enabled (which is a common default setting) will automatically receive script.module.simplejson version 3.4.1 from the malicious repository.

The only part of script.module.simplejson version 3.4.1 that is modified relative to version 3.4.0 is its metadata – the file addon.xml contains an additional <requires> line:

This tells Kodi to download and install an add-on named script.module.python.requests, at version 2.16.0 or above. The script.module.python.requests add-on is served by the malicious repository only. It is a modification of the legitimate add-on script.module.requests, containing additional, malicious Python code.

That Python code downloads, as appropriate, a Windows or Linux binary, and executes it. This executable is a downloader that fetches and executes the final payload, an executable cryptominer. If the installation of the cryptominer is successful, the malicious Python code proceeds to a self-removal phase and deletes itself.

Figure 3 – The malware’s execution model

Python code

In the sample analyzed here, the obfuscated malicious code is located in the file script.module.python.requestslibrequestspackagesurllib3connectionpool.py, lines 846-862.

Figure 4. Obfuscated malicious code in connectionpool.py

When deobfuscated and commented, the code becomes much more readable, as seen in Figure 5.

Figure 5. Malicious code after deobfuscation (comments added by the researcher)

It is clear that the code is written by someone with a good knowledge of Kodi and its add-on architecture. The script detects which OS it is running on (only Windows and Linux are supported; Android and macOS are ignored), connects to its C&C server, and downloads and executes an OS-appropriate binary downloader module.

The Windows binary is written to
C:Users[username]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupTrustedInstaller.exe, while the Linux binary is written to /tmp/systems/systemd

After retrieving and running the binary downloader module, the Python script – here connectionpool.py – runs its self-deletion routine. Looking back at Figure 4, we see that the malicious code is bracketed with the special markers #-+- and #-_-#. The code run after successful execution of the binary downloader opens this Python file, finds these special markers and deletes them, and everything between them. The cleaned Python file is then saved. As a result, the cryptominer installation cannot be easily traced back to this Kodi add-on.

Figure 6. Self-removal in Python code (comments added by the researcher)

Cryptominer executable

The downloader module (64-bit EXE for Windows, 64-bit ELF file for Linux) retrieved by the Python code contains an encrypted cryptominer configuration and download links for the second-stage payload – the actual cryptominer binaries.

The binary downloaders fetch OS-appropriate second-stage payloads (cryptominer binaries for different GPUs and a malicious launcher/updater module) in password-protected ZIP files. These binaries are compiled for both 64-bit Windows and 64-bit Linux and are based on the open-source cryptomining software XMRStak.

The configuration for the cryptominer is as follows:

{“monero”:{“default”:{“wallet”:”49WAk6TaCMX3HXN22nWPQAfBjP4J3ReUKg9tu3FoiPugcJs3fsnAvyGdrC41HZ4N6jcHEiwEGvH7z4Sn41PoZtLABFAVjm3″,”password”:””,”name”:””,”email”:””,”weight”:1,”format”:{“rig”:””,”address”:”%w%.%n%/%e%”,”password”:”%p%”}},”pools”:[{“host”:”xmr-us-east1.nanopool.org:14444″},{“host”:”xmr-eu1.nanopool.org:14444″},{“host”:”xmr-asia1.nanopool.org:14444″}]}}

Has my device been compromised? How do I clean it?

If you’re using Kodi on a Windows or Linux device and have installed add-ons from third-party repositories, or a ready-made Kodi build, there’s a chance you’ve been affected by this cryptomining campaign.

To check if your device has been compromised, scan it with a reliable anti-malware solution. ESET products detect and block these threats as Win64/CoinMiner.II and Win64/CoinMiner.MK on Windows and Linux/CoinMiner.BC, Linux/CoinMiner.BJ, Linux/CoinMiner.BK, and Linux/CoinMiner.CU on Linux. On Windows you can use ESET’s Free Online Scanner, and on Linux the free trial of ESET NOD32 Antivirus for Linux Desktop, to check your computer for the presence of these threats and remove anything that is detected. Existing ESET customers are protected automatically.

Conclusion

Although the main add-on repositories that initially seeded this malware into the Kodi ecosystem are now either closed or cleaned, that does not address the many devices that had already run the malicious add-ons. As can be seen in Figure 7, many devices are still mining Monero for the cybercriminals behind this campaign.

Figure 7. Payments received by malware authors

According to these statistics of the malware authors’ Monero wallet, provided by Nanopool, a minimum of 4774 victims are affected by the malware at the time of writing, and have generated 62,57 XMR (about 5700 EUR or 6700 USD) as of this writing.

Aside from being the second malware, and first cryptominer, distributed though the popular media player Kodi, this malware campaign employed an interesting compromise technique. By utilizing the complex scripting functionality of Kodi’s add-ons, which works across the OSes Kodi supports – Android, Linux, macOS and Windows – the cybercriminals behind this campaign easily targeted Kodi on Linux and Windows.

Cunning as that was though, they may have been able to target devices on more OSes. By building native versions of their cryptominer for those OSes, or providing alternative payloads more suited to the platform (for example, less power-intensive payloads for battery-powered devices), they could have compromised more of the OSes that Kodi supports. As OS security measures continue to tighten, opportunities afforded by application add-on and scripting functionalities, such as those that were exploited here, seem likely to become more popular targets with cybercriminals. We have seen this in the past, and then recycled more recently, with Visual Basic macros in Microsoft Office applications. Kodi add-ons might not be “the next VBA”, but the steps taken here may be an indication of things to come.

Indicators of Compromise (IoCs)

Malicious Kodi add-ons

Since the original repositories containing malicious add-ons (Bubbles and Gaia) are already deleted, we are providing example links to mirror repositories that still contain malicious code, and example links to a few randomly chosen, malicious Kodi builds.

It is important to note that the owners of the secondary sources of malicious files, below, are most likely spreading them unknowingly.

Example mirror of Bubbles
github[.]com/yooperman17/trailerpark/blob/master/repository/repository.bubbles.3/repository.bubbles.3-4.2.0[.]zip
github[.]com/yooperman17/trailerpark/blob/master/repository/common/script.module.urllib.3/script.module.urllib.3-1.22.3[.]zip
Example mirror of Gaia
github[.]com/josephlreyes/gaiaorigin/blob/master/common/script.module.python.requests/script.module.python.requests-2.16.1[.]zip
github[.]com/josephlreyes/gaiaorigin/blob/master/common/script.module.simplejson/script.module.simplejson-3.4.1[.]zip
Malicious files previously available on XvBMC repository
github[.]com/XvBMC/repository.xvbmc/tree/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/script.module[.]simplejson
github[.]com/XvBMC/repository.xvbmc/tree/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/script.module.python[.]requests
github[.]com/XvBMC/repository.xvbmc/blob/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/zips/script.module.python.requests/script.module.python.requests-2.16.3[.]zip
github[.]com/XvBMC/repository.xvbmc/blob/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/zips/script.module.simplejson/script.module.simplejson-3.4.1[.]zip
Sampling of malicious Kodi builds
archive[.]org/download/retrogamesworld7_gmail_Kodi_20180418/kodi[.]zip
archive[.]org/download/DuggzProBuildWithSlyPVRguideV0.3/DuggzProBuildWithSlyPVRguideV0.3[.]zip
ukodi1[.]xyz/ukodi1/builds/Testosterone%20build%2017[.]zip
C&C URLs
openserver[.]eu/ax.php
kodinet.atspace[.]tv/ax.php
kodiupdate.hostkda[.]com/ax.php
kodihost[.]rf.gd/ax.php
updatecenter[.]net/ax.php
stearti.atspace[.]eu/ax.php
mastercloud.atspace[.]cc/ax.php
globalregistry.atspace.co[.]uk/ax.php
meliova.atwebpages[.]com/ax.php
krystry.onlinewebshop[.]net/ax.php
Downloader module (Windows)
openserver[.]eu/wib
kodinet.atspace[.]tv/wib
kodiupdate.hostkda[.]com/wib
kodihost.rf[.]gd/wib
updatecenter[.]net/wib
bitbucket[.]org/kodiserver/plugin.video.youtube/raw/HEAD/resources/lib/wib
gitlab[.]com/kodiupdate/plugin.video.youtube/raw/master/resources/lib/wib
www.dropbox[.]com/s/51fgb0ec9lgmi0u/wib?dl=1&raw=1
Downloader module (Linux)
openserver[.]eu/lib
kodinet.atspace[.]tv/lib
kodiupdate.hostkda[.]com/lib
kodihost.rf[.]gd/lib
updatecenter[.]net/lib
bitbucket[.]org/kodiserver/plugin.video.youtube/raw/HEAD/resources/lib/lib
gitlab[.]com/kodiupdate/plugin.video.youtube/raw/master/resources/lib/lib
www.dropbox[.]com/s/e36u2wxmq1jcjjr/lib?dl=1&raw=1
Cryptominer binaries (Windows)
updatecenter[.]net/wub
openserver[.]eu/wub
glocato.atspace[.]eu/wub
oraceur.hostkda[.]com/wub
dilarti.1free-host[.]com/wub
utudict.vastserve[.]com/wub
encelan.atspace[.]cc/wub
Cryptominer binaries (Linux)
updatecenter[.]net/lub
openserver[.]eu/lub
glocato.atspace[.]eu/lub
oraceur.hostkda[.]com/lub
dilarti.1free-host[.]com/lub
utudict.vastserve[.]com/lub
encelan.atspace[.]cc/lub
Hashes of malicious add-ons
B8FD019D4DAB8B895009B957A7FEBAEFCEBAFDD1
BA50EAA31441D5E2C0224B9A8048DAF4015735E7
717C02A1B040187FF54425A64CB9CC001265C0C6
F187E0B6872B096D67C2E261BE41910DAF057761
4E2F1E9E066D7D21CED9D690EF6119E59CF49176
53E7154C2B68EDBCCF37FB73EEB3E042A1DC7108
FF9E491E8E7831967361EDE1BD26FCF1CD640050
3CC8B10BDD5B98BEA94E97C44FFDFB1746F0C472
389CB81D91D640BA4543E178B13AFE53B0E680B5
6DA595FB63F632EE55F36DE4C6E1EB4A2A833862
9458F3D601D30858BBA1AFE1C281A1A99BF30542
B4894B6E1949088350872BDC9219649D50EE0ACA
79BCC4F2D19A394DD2DB2B601208E1D1EA57565B
AAAEDE03F6C014CEE8EC0D9C0EA4FC7B0E67DB59
C66B5ADF3BDFA87B0731512DD2654F4341EBAE5B
F0196D821381248EB8717F47C70D8C235E83A12E
7CFD561C215DC04B702FE40A199F0B60CA706660

ESET detects the malicious Python code as Python/CoinMiner.W.

Hashes of cryptominers and downloader modules (Windows)
08406EB5A8E75F53CFB53DB6BDA7738C296556D6
2000E2949368621E218529E242A8F00DC8EC91ED
5B1F384227F462240178263E8F2F30D3436F10F5
B001DD66780935FCA865A45AEC97C85F2D22A7E2
C6A4F67D279478C18BE67BEB6856F3D334F4AC42
EE83D96C7F1E3510A0D7D17BBF32D5D82AB54EF3

ESET detects both cryptominer and downloader modules as Win64/CoinMiner.II and/or Win64/CoinMiner.MK. Our telemetry shows more than 100 distinct hashes for the detection names.

Hashes of cryptominers and downloader modules (Linux)
38E6B46F34D82BD23DEACD23F3ADD3BE52F1C0B6
90F39643381E2D8DFFF6BA5AB2358C4FB85F03FC
B9173A2FE1E8398CD978832339BE86445ED342C7
D5E00FB7AEA4E572D6C7C5F8D8570DAB5E1DD156
D717FEC7E7C697D2D25080385CBD5C122584CA7C
DF5433DC7EB272B7B837E8932E4540B216A056D8

ESET detects Linux version of the cryptominer and downloader modules as Linux/CoinMiner.BC, Linux/CoinMiner.BJ, Linux/CoinMiner.BK, and Linux/CoinMiner.CU.





Articles You May Like

Cyberattacks: A very real existential threat to organizations
OpenSSL fixes two “one-liner” crypto bugs – what you need to know
Microsoft Spots Updated Cryptomining Malware Tool Targeting Linux Systems
Sequoia Capital China raises $9B amid cooling tech sector: reports
“Missing Cryptoqueen” hits the FBI’s Ten Most Wanted list

41 Comments

  1. “Great post. I was checking constantly this weblog and I am inspired!
    Extremely useful information specially the ultimate section 🙂 I deal with such information a lot.

    I was looking for this particular info for a long time.

    Thanks and best of luck.”

  2. There are certainly a lot of details like that to take into consideration. That is a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing will be working in honest good faith. I don?t know if best practices have emerged around things like that, but I am sure that your job is clearly identified as a fair game. Both boys and girls feel the impact of just a moment’s pleasure, for the rest of their lives.

  3. you are truly a just right webmaster. The web site loading velocity is amazing. It sort of feels that you are doing any distinctive trick. Furthermore, The contents are masterwork. you have done a great process on this subject!

  4. Thanks for every other informative web site. Where else may just I am getting that kind of information written in such an ideal way? I’ve a undertaking that I’m simply now running on, and I’ve been at the look out for such info

  5. Attractive section of content. I just stumbled upon your site
    and in accession capital to assert that I get in fact enjoyed account your blog
    posts. Any way I’ll be subscribing to your feeds and even I achievement you access consistently
    quickly.

  6. “Hello There. I found your blog using msn. This is
    an extremely well written article. I’ll make sure to bookmark it and come back to read more of your useful info.
    Thanks for the post. I will certainly return.”

  7. I know this if off topic but I’m looking into starting my own weblog and was wondering what
    all is needed to get set up? I’m assuming having a blog
    like yours would cost a pretty penny? I’m not very internet smart so I’m
    not 100% positive. Any suggestions or advice would be greatly appreciated.
    Appreciate it

  8. I’m so happy to read this. This is the kind of manual that needs to be given and not the accidental misinformation that is at the other blogs. Appreciate your sharing this greatest doc.

  9. you are actually a good webmaster. The website loading velocity is amazing. It seems that you are doing any distinctive trick. In addition, The contents are masterpiece. you’ve done a excellent process on this subject!

  10. I have been surfing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. In my opinion, if all web owners and bloggers made good content as you did, the internet will be much more useful than ever before

  11. Hiya, I am really glad I have found this info. Nowadays bloggers publish just about gossips and internet and this is actually irritating. A good site with interesting content, this is what I need. Thank you for keeping this web site, I’ll be visiting it. Do you do newsletters? Can not find it

  12. “I’ve learn several just right stuff here. Certainly value bookmarking for revisiting.
    I wonder how so much effort you put to create such a magnificent informative site.”

  13. By now all of us a acquainted with Bakugan battle brawler games and its anime series.
    However, they only last for 24 hours before you must send new
    Facebook requests to add them again. Nevertheless, this set is far better for those
    who already have other sets and not for these who are just starting up
    out.

  14. “This is very interesting, You’re a very skilled blogger.
    I have joined your feed and look forward to seeking more of your fantastic post.
    Also, I’ve shared your web site in my social networks!”

  15. I keep listening to the news update speak about getting free online grant applications so I have been looking around for the best site to get one. Could you advise me please, where could i acquire some?

  16. hello!,I like your writing very much! percentage we be in contact extra about your post on AOL? I require a specialist on this area to solve my problem. Maybe that’s you! Having a look forward to peer you.

  17. I was just looking for this info for a while. After 6 hours of continuous Googleing, finally I got it in your web site. I wonder what’s the lack of Google strategy that do not rank this type of informative websites in top of the list. Generally the top web sites are full of garbage.

  18. We simply want to advise you in which I’m really novice to writing and utterly adored your review. Very likely I am most likely to remember your blog post . You absolutely have great article posts. Appreciate it for giving out with us your internet write-up.

  19. Do you have a spam problem on this blog; I also am a blogger, and I was wanting to know your situation; many of us have created some nice procedures and we are looking to exchange strategies with other folks, be sure to shoot me an email if interested.

  20. It’s a shame you don’t have a donate button! I’d most certainly donate to this excellent blog! I suppose for now i’ll settle for book-marking and adding your RSS feed to my Google account. I look forward to new updates and will talk about this blog with my Facebook group. Talk soon

  21. “Please let me know if you’re looking for a writer for your blog.
    You have some really great articles and I believe I would be a
    good asset. If you ever want to take some of the load off, I’d really like
    to write some articles for your blog in exchange for a link back to mine.”

  22. “This design is spectacular! You most certainly know how to
    keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Fantastic job.

    I really enjoyed what you had to say, and more than that, how you presented it.
    Too cool!”

  23. I am really grateful to the holder of this web site who has shared this fantastic post at at this time
    “Thank you for the auspicious writeup. It in fact was a amusement account it.
    Look advanced to more added agreeable from you! However, how could we communicate?”

  24. “Hi! I could have sworn I’ve been to this website before but after browsing
    through some of the post I realized it’s new to me. Nonetheless,
    I’m definitely delighted I found it and I’ll be bookmarking and checking back often!”

  25. “After exploring a handful of the blog articles on your site, I honestly
    appreciate your way of writing a blog. I book
    marked it to my bookmark website list and will be checking back soon”

  26. I did a vegan post last week (not sure if you saw it or not, so apologies if you did and saw it)! This is so cute! I had a pi day post planned but thought (duhhh!!) it was tomorrow so it will come tomorrow!x

  27. “First off I want to say awesome blog! I had a quick question that I’d like to
    ask if you don’t mind. I was interested to know how you center yourself and clear
    your head before writing. I’ve had a hard time clearing my
    thoughts in getting my thoughts out. I do take pleasure in writing but it just
    seems like the first 10 to 15 minutes are generally
    lost simply just trying to figure out how to begin. Any recommendations or tips?
    Appreciate it!”

  28. your article is nice and very informative.I dont understand how commenting is helpful for trafic increasing and backlink building but recently my blog got benifit from commenting and now i realise.Thank you very much.

  29. Spot on with this write-up, I truly think this website needs far more attention. I’ll probably be returning to see more, thanks for the information.

  30. I got this website from my pal who told me concerning this website and at the moment this time I am browsing this web site and reading very informative articles at this place.

Leave a Reply

Your email address will not be published.