Pierluigi Paganini September 26, 2018

Security experts have spotted a Monero cryptomining campaign that abused Kodi add-ons to deliver miner that target both Linux and Windows systems.

Crooks are abusing Kodi Media Player to distribute malware, researchers from ESET recently spotted a cryptomining campaign that compromised about over 5,000 computers.

Kodi users can add new functionality by installing add-ons that are available on the official Kodi repository and in several third-party stores

An attacker can deliver malicious code by compromising the add-ons that are automatically updated by the Kodi media player.

According to ESET researchers, attackers can target Kodi to spread malware using three different mechanisms:

1. They add the URL of a malicious repository to their Kodi installation so as to download some add-ons. The malicious add-on is then installed whenever they update their Kodi add-ons.
2. They install a ready-made Kodi build that includes the URL of a malicious repository. The malicious add-on is then installed whenever they update their Kodi add-ons.
3. They install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates. They are initially compromised, though receive no further updates to the malicious add-on. However, if the cryptominer is installed, it will persist and receive updates.

The malicious code distributed in this campaign is able to compromise both Windows and Linux platforms. It is a multi-stage malware that implements measures to make it hard for analysts to trace the malicious code back to the add-on.

Attackers added the malicious add-on to the XvMBC, Bubbles, and Gaia repositories.

Most of the infections were observed in the United States, Israel, Greece, the United Kingdom, and the Netherlands.

“After victims add the malicious repository to their Kodi installation, the malicious repository serves an add-on named script.module.simplejson – a name matching that of a legitimate add-on used by many other add-ons.  However, while other repositories only have the script.module.simplejson add-on at version 3.4.0, the malicious repository serves this add-on with version number 3.4.1.” continues the repository.

“Since Kodi relies on version numbers for update detection, all users with the Auto Update feature enabled (which is a common default setting) will automatically receive script.module.simplejson version 3.4.1 from the malicious repository.”

Although the main repositories used in this campaign are now either closed or cleaned, many devices are still running the malicious add-ons to mine Monero.

Researchers from ESET, revealed that crooks behind the campaign have already mined about $6,700 worth of Monero.

“According to these statistics of the malware authors’ Monero wallet, provided by Nanopool, a minimum of 4774 victims are affected by the malware at the time of writing, and have generated 62,57 XMR (about 5700 EUR or 6700 USD) as of this writing.” concludes the report.

Further details, including the IoCs, are available in the report.

Pierluigi Paganini

(Security Affairs – Kodi, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]