The Kodi media player has emerged as a malware distribution platform for cybercriminals, recently becoming the target for a cryptomining campaign that compromised about 5,000 machines before being thwarted. Those victims are still at risk, researchers warned.

Kodi is free and open-source, and can be used to play videos, music, podcasts and other digital media files from local and network storage media and the internet/streaming sources. Users also can extend the software’s functionality by installing add-ons, found both in the official Kodi repository and in various third-party repositories. By targeting the various add-ons and relying on Kodi’s auto-update feature, it’s possible to stealthily spread bad code throughout the ecosystem.

Researchers from ESET said that malware can spread through Kodi in three different ways. They could add the URL of a malicious repository to their Kodi installation, which would download add-ons whenever they update their Kodi installations; or, they could install a ready-made Kodi build that includes the URL of a malicious repository. Thirdly, users could install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates.

In this latter case, victims would be initially compromised and the malware would persist, though it would receive no further updates to the malicious add-on.

“Cybercriminals are increasingly abusing add-ons and scripting functionalities in response to the tightening of security measures for operating systems,” IBM researchers noted in a posting last week. “The industry recently witnessed this trend in the form of bad actors leveraging Visual Basic for Applications (VBA) macros to spread malware.”

In 2016, IBM Managed Security Services observed an attack campaign using VBA macros to deliver Locky ransomware. Last year, Fortinet researchers observed two attacks where threat actors leveraged VBA macros embedded in Excel attachments to spread Dyzap malware and a variant of Strictor ransomware.

In the recently observed campaign, the payload ran on Windows and Linux, and had a multi-stage architecture to ensure that the cryptominer couldn’t be easily traced back to the malicious add-on. The malicious add-on was added to the XvMBC repository (recently taken offline for hosting pirated content) as well as the popular third-party add-on repositories Bubbles (now defunct) and Gaia (a fork of Bubbles).

The top five countries affected by the threat, according to ESET’s telemetry, are the United States, Israel, Greece, the United Kingdom and the Netherlands.

Many of the infected machines however are still harboring the payload, researchers warned, meaning that as a threat, the mining operation persists. According to ESET, which first uncovered the campaign, the Monero-miner has so far mined about $6,700 in virtual currency.

“Although the malicious add-ons are no longer available in various third-party repositories (one repository is no longer operational while the other removed the malicious cryptocurrency-mining code), Kodi users who have unknowingly downloaded the malware on their devices are still affected,” the Trend Micro researchers noted in a posting last week on ESET’s findings.

Nadav Avital, threat research manager at Imperva, told Threatpost that the use of Kodi seems to be part of a natural progression.

“Cybercriminals are always looking to expand their target cycle in order to make more money,” he said. “In the past, we’ve seen rogue cryptominer malware infecting browsers, databases, management systems, cache systems and more. Thus, it is not surprising that cyber criminals are targeting yet another platform.”