However, an unsuspecting victim who has cryptominer installed on his/her device may still be affected. When an ESET researcher writes an essay, the repository that the malware initially started to propagate either has either expired (bubble) or is no longer serving malicious code (Gaia). Other possible explanations for geographic distribution are Kodi versions of specific countries, which contain malicious repositories or malicious repositories with user bases in the relevant countries. However, if cryptominer is installed, it will keep and receive updates.Īccording to ESET’s telemetry data, the five countries most affected by this threat are the United States, Israel, Greece, the United Kingdom, and the Netherlands. Although an initial attack was initiated, no further update requests for malicious add-ons were received. The user installed a ready-made Kodi version that contained a malicious plugin but did not link to the repository for updates. As long as they update the Kodi add-on, they will install a malicious load project.ģ. The user installed the off-the-shelf version of Kodi, which contains the URL of the malicious repository. Then, as soon as they update the Kodi add-on, malicious add-ons are installed.Ģ. The user adds the URL of the malicious repository to their Kodi installation to download some add-ons. The victim of the event eventually runs the malware in one of three ways:ġ. ESET does not currently see versions for Android or macOS devices. Cryptominer runs on Windows and Linux and mines the cryptocurrency monroe. The malware has a multi-level structure and measures to ensure that its final payload (cryptominer) cannot be easily traced back to malicious add-ons. Through these two sources, as well as update routines by unsuspecting users built by other third-party plug-in libraries and off-the-shelf Kodi, malware is further spread in the Kodi system. Recently, copyright infringement add-ons have also been accused of exposing users to malware, but in addition to the addition of the DDoS module to a popular third-party Kodi add-on, there has been no evidence of malware being transmitted through the Kodi add-on.Īccording to the research, the malware discovered by ESET in the XvMBC repository was first added to the popular third-party add-on repository Bubbles and Gaia (a branch of Bubbles) in December 2017 and January 2018, respectively. Some third-party plug-ins allow users to access pirated content, sparking public controversy about Kodi. This activity pushed Linux or Windows specific binaries to Kodi users on these operating systems.įor those who are unfamiliar with the Kodi platform, the popular media player software itself does not provide any content, but users can extend the functionality of the software by installing various plugins that can be found in the official Kodi repository and numerous three-party repository. This is the second public case of large-scale dissemination of malware through the Kodi add-on, and the first public mining activity initiated through the Kodi platform. After the plug-in library was closed, ESET found that it may have become part of the malicious mining activity from December 2017. Kodi recently closed the third-party plug-in library XvBMC for copyright infringement warnings.
0 Comments
Leave a Reply. |