In the wake of reports pinning two Kodi add-ons and one repository as the culprits in an elaborate scheme to spread crypto mining malware, anti-piracy group BREIN last month shut down the XvBMC-NL repo and imposed a fine of 2,500 Euros on the Dutch developer behind it.
The anti-piracy group had earlier on dispatched bailiffs to meet the administrator, who only went by “Z,” but this was in July—months after the suspected repository had begun infecting the computers of thousands of unsuspecting users with coin-mining software.
In addition to the hefty fine, Z was also required to sign an abstention agreement.
Gaia and Bubbles
ESET security researchers first discovered the infected malware on the XvBMC repo last year in December, and it came in the form of two popular Kodi add-ons: Bubbles and Gaia, the latter being a fork of the former add-on.
ESET noted in its report that the repository had merely been dragged into the malware campaign when it was first added to Bubbles in December 2017, then later to Gaia in January 2018.
The malware, which utilized multi-stage architecture and other techniques to hide the malicious nature of the add-on carrying the cryptominer, was then spread throughout the Kodi ecosystem when users updated their add-on libraries.
The miner was based on the cryptocurrency Monero and only targeted users running Kodi on Windows and Linux platforms. Users who ran the streaming software on macOS and Android platforms were left out of the attack.
How the Malware Spread
ESET notes that the authors of the code that covertly downloaded crypto mining malware had configured it to spread in three ways.
The first was when a user unwittingly added the malicious repository to their Kodi installation and used it to update their add-on library. Malicious add-ons would then be downloaded and installed.
The second way users got their systems infected was through downloading a ready-made build of Kodi that contained the malicious repository, which downloaded and installed the malicious add-ons whenever they updated their add-on libraries.
The third infection route was slightly less effective as it involved installing ready-made Kodi builds with malicious add-ons but no repository links through which they could install further updates.
Nevertheless, ESET security researchers found that once the cryptominer was installed, it would persistently request for updates until it received them.
The United States, the United Kingdom, Greece, Israel and the Netherlands were five of the most affected countries in this malware attack, according to analysis reports by ESET.
Although both the Bubbles and the Gaia repositories are considered neither harmful nor capable of serving up more copies of the malware at the time of writing, ESET reports that Kodi users who had unwittingly downloaded the malware earlier on could still be at risk.
Other repositories and Kodi builds are still being inspected as ESET security researchers suspect that they could still be distributing the code without the users’ knowledge.
How to Get Rid of the Malware
Following the discovery of the malicious add-ons, ESET published a detailed technical analysis along with instructions on how users can check whether their devices have been compromised.
In summary, the antivirus program will scan your system for threats like Win64/CoinMiner.MK, Win64/CoinMiner.II, Linux/CoinMiner.BC, Linux/CoinMiner.Cu, Linux/CoinMiner.BK and Linux/CoinMiner.BJ on infected Windows and Linux computers.
ESET customers have little to worry about, however, as the company assured them that they will be protected from these threats automatically.
Kodi Malware Is Very Rare, According to ESET
The attack, though initially serious, has now been contained considerably. ESET notes that an estimated 4,774 users were affected by the attack, and upon further investigations that led the researchers to the Monero wallet belonging to the authors, it was discovered that $6,700 (5,700 Euros) worth of Monero was generated.
This is the second time that Kodi malware has been involved in an attack of this magnitude; the first large-scale attack involved a malicious add-on known as Exodus that turned unsuspecting users into botnets which were later to carry out a DDoS (Distributed Denial of Service) attack.