Some Kodi Add-ons Contain Malware And Mine Cryptocurrency

A number of add-ons for the media player have apparently been infected by cryptocurrency mining malware that affects Windows and Linux users.

Security researchers at ESET provided details about a recently discovered cryptomining campaign. XvBMC, a repository on the Kodi platform, using third party add’ons Bubbles and Gaia, was to their belief, an unknowing participant in a crytomining campaign that dates back to December of last year. The malware that was found in the repository, when downloaded by a victim, installed a cryptominer on an unsuspecting victim’s device. Its architecture is described as multi-staged and ensures that its payload is difficult to track back to the malicious add on. The cryptominer utilized mines Monero and runs on both the Linux and Windows operating systems. The top five countries affected by this activity were: the United States, Israel, the United Kingdom, and Greece. The repository has since been shutdown. For full technical details we encourage our readers to review ESET’s article.

Indicators of Compromise

• github.com/yooperman17/trailerpark/blob/master/repository/repository.bubbles.3/repository.bubbles.3-4.2.0.zip
• github.com/yooperman17/trailerpark/blob/master/repository/common/script.module.urllib.3/script.module.urllib.3-1.22.3.zip

• github.com/josephlreyes/gaiaorigin/blob/master/common/script.module.python.requests/script.module.python.requests-2.16.1.zip
• github.com/josephlreyes/gaiaorigin/blob/master/common/script.module.simplejson/script.module.simplejson-3.4.1.zip

• github.com/XvBMC/repository.xvbmc/tree/b8f5dd59961f2e452d0ff3fca38b26c526c1aec/Dependencies/script.module.simplejson
• github.com/XvBMC/repository.xvbmc/tree/b8f5dd59961f2e452d0ff3fca38b26c526c1aec/Dependencies/script.module.python.requests
• github.com/XvBMC/repository.xvbmc/blob/b8f5dd59961f2e452d0ff3fca38b26c526c1aec/Dependencies/zips/script.module.python.requests/script.module.python.requests-2.16.3.zip
• github.com/XvBMC/repository.xvbmc/blob/b8f5dd59961f2e452d0ff3fca38b26c526c1aec/Dependencies/zips/script.module.simplejson/script.module.simplejson-3.4.1.zip

• archive.org/download/retrogamesworld7_gmail_Kodi_20180418/kodi.zip
• archive.org/download/DuggzProBuildWithSlyPVRguideV0.3/DuggzProBuildWithSlyPVRguideV0.3.zip
• ukodi1.xyz/ukodi1/builds/Testosterone%20build%2017.zip

• openserver.eu/ax.php
• kodinet.atspace.tv/ax.php
• kodiupdate.hostkda.com/ax.php
• kodihost.rf.gd/ax.php
• updatecenter.net/ax.php
• stearti.atspace.eu/ax.php
• mastercloud.atspace.cc/ax.php
• globalregistry.atspace.co.uk/ax.php
• meliova.atwebpages.com/ax.php
• krystry.onlinewebshop.net/ax.php

• openserver.eu/wib
• kodinet.atspace.tv/wib
• kodiupdate.hostkda.com/wib
• kodihost.rf.gd/wib
• updatecenter.net/wib
• bitbucket.org/kodiserver/plugin.video.youtube/raw/HEAD/resources/lib/wib
• gitlab.com/kodiupdate/plugin.video.youtube/raw/master/resources/lib/wib
• www.dropbox.com/s/51fgb0ec9lgmi0u/wib?dl=1&raw=1

• openserver.eu/lib
• kodinet.atspace.tv/lib
• kodiupdate.hostkda.com/lib
• kodihost.rf.gd/lib
• updatecenter.net/lib
• bitbucket.org/kodiserver/plugin.video.youtube/raw/HEAD/resources/lib/lib
• gitlab.com/kodiupdate/plugin.video.youtube/raw/master/resources/lib/lib
• www.dropbox.com/s/e36u2wxmq1jcjjr/lib?dl=1&raw=1

• updatecenter.net/wub
• openserver.eu/wub
• glocato.atspace.eu/wub
• oraceur.hostkda.com/wub
• dilarti.1free-host.com/wub
• utudict.vastserve.com/wub
• encelan.atspace.cc/wub

• updatecenter.net/lub
• openserver.eu/lub
• glocato.atspace.eu/lub
• oraceur.hostkda.com/lub
• dilarti.1free-host.com/lub
• utudict.vastserve.com/lub
• encelan.atspace.cc/lub

• B8FD019D4DAB8B895009B957A7FEBAEFCEBAFDD1
• BA50EAA31441D5E2C0224B9A8048DAF4015735E7
• 717C02A1B040187FF54425A64CB9CC001265C0C6
• F187E0B6872B096D67C2E261BE41910DAF057761
• 4E2F1E9E066D7D21CED9D690EF6119E59CF49176
• 53E7154C2B68EDBCCF37FB73EEB3E042A1DC7108
• FF9E491E8E7831967361EDE1BD26FCF1CD640050
• 3CC8B10BDD5B98BEA94E97C44FFDFB1746F0C472
• 389CB81D91D640BA4543E178B13AFE53B0E680B5
• 6DA595FB63F632EE55F36DE4C6E1EB4A2A833862
• 9458F3D601D30858BBA1AFE1C281A1A99BF30542
• B4894B6E1949088350872BDC9219649D50EE0ACA
• 79BCC4F2D19A394DD2DB2B601208E1D1EA57565B
• AAAEDE03F6C014CEE8EC0D9C0EA4FC7B0E67DB59
• C66B5ADF3BDFA87B0731512DD2654F4341EBAE5B
• F0196D821381248EB8717F47C70D8C235E83A12E
• 7CFD561C215DC04B702FE40A199F0B60CA706660

• 08406EB5A8E75F53CFB53DB6BDA7738C296556D6
• 2000E2949368621E218529E242A8F00DC8EC91ED
• 5B1F384227F462240178263E8F2F30D3436F10F5
• B001DD66780935FCA865A45AEC97C85F2D22A7E2
• C6A4F67D279478C18BE67BEB6856F3D334F4AC42
• EE83D96C7F1E3510A0D7D17BBF32D5D82AB54EF3

• 38E6B46F34D82BD23DEACD23F3ADD3BE52F1C0B6
• 90F39643381E2D8DFFF6BA5AB2358C4FB85F03FC
• B9173A2FE1E8398CD978832339BE86445ED342C7
• D5E00FB7AEA4E572D6C7C5F8D8570DAB5E1DD156
• D717FEC7E7C697D2D25080385CBD5C122584CA7C
• DF5433DC7EB272B7B837E8932E4540B216A056D8

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.