Cybersecurity firm ReasonLabs warns: watch out for cryptocurrency miners if you prefer to download Spider-Man: No Way Home in torrent rather than going to see it at the cinema.
In a new report, the ReasonLabs research team claims to have found Monero miners attached to Russian torrent files from the new film, which has grossed more than $ 750 million worldwide since its release last week.
The miner adds exclusions to Windows Defender, creates persistence, and spawns a monitoring process to keep it running, according to ReasonLabs. “The malware is not signed and written in .net. To date, it is not present in Virus Total. The malware tries to stay out of sight by using “legitimate” names for the files and processes it creates. We recommend that you use great caution when downloading any content from unofficial sources, whether it is a document in an email from an unknown sender, a pirated program on a questionable download portal or a file from a torrent, ”the team explains.
The Spiderman malware, a reissue of an already known malware
“An easy precaution is to always check that the file extension matches the file you expect, for example, in this case a video file should end with ‘.mp4’ and not with ‘.exe’. Try to gather information about the file, and always think twice before double-clicking on it. To be sure you see the actual file extension, open a folder, go to “View” and check “File name extensions”. This will make sure you see the complete file type. “
The researchers add that while the malware does not compromise personal information, cryptominers do other types of damage. Victims of the malware will see their electricity bills go up, and the researchers note that the miner runs for long periods of time, slowing down your device while requiring high CPU usage.
When asked how they discovered the cryptominer, the ReasonLabs team told ZDNet that over the years they have accumulated a large database of malware that allows them to trace their origins, report them, and identify them. cross-check them with other databases, such as Virus Total.
One of their users downloaded this file Spider-Man: No Way Home and it was flagged in their database as a new threat. They don’t know how many times the file has been downloaded, but they note that it has been around for some time.
The Spiderman malware is actually a new “edition” of already known malware that was disguised as various popular apps in the past, such as “Windows Updater”, “Discord App”, and now the latest Spiderman movie. This suggests that it has been downloaded a lot. “No one else has identified this ‘edition’ of the malware,” the team said.
The torrent, a malware distribution mechanism
Jake Williams, technical director of BreachQuest, recalls that threat actors used torrents as a malware distribution mechanism long before the appearance of cryptocurrencies. “I remember seeing a wave of hackers compromising victims with screen savers celebrating Whitney Houston’s career following her death. With cryptocurrencies being the easiest way for cybercriminals to cash in on money, it’s no surprise that they use it as the payload of choice for their malware. “
Sean Nikkel of Digital Shadows points out that many Gen Xers and Millennials probably remember the days when they would download random files from strangers on Kazaa and Limewire, looking for MP3s or rare or free videos, and ended up with a Trojan horse or other similar malware.
According to him, this tactic has spread to the world of the torrent. Besides malware attached to popular movies or shows, the same happens with popular apps like those from Adobe, Microsoft, or specialty music programs like Ableton or Fruity Loops, which are themselves often hacked. “Sometimes the key generators themselves were malicious or the application executable. Many office workers looking to save money or use programs they are familiar with on their work computers have run the risk of downloading “free” versions or versions hosted on bad sites, and have ended up getting burned. », Says Sean Nikkel.
Casey Ellis, CTO of Bugcrowd, explains that, from a cybercriminals perspective, using a distribution system where users are less likely to ask for “tech support” if something goes wrong, or even dies. Admitting to loved ones that their computer is behaving strangely increases the chances that the malware will run first, and once it does, reduces the risk of it being discovered and removed.
ReasonLabs says it is still researching the origins of the minor. The company notes that it constantly sees miners deployed in the form of running programs, files of interest, and popular apps. “Miners have become very popular in recent years because it is easy money and attackers try to kill as many people as possible, by all means, including tricking users into downloading files that are not what they appear to be, ”the company told ZDNet.
Source: ZDNet.com