A new form of malware posing as movie file was discovered last year and was designed to steal cryptocurrency and inject manipulated results into popular sites such as Google, Yandex, and Wikipedia. The surprising thing is that, even after a year of its discovery and several reports of the attack, there’s hardly any confirmed solution to the crypto malware.
The malware, while not completely original, has been noticed for its creativity and perfected obscurity: lying right under the nose of an eager movie watcher unseen. As common these days, the malicious file was found waiting in the host of torrented and pirated movies on notorious website, The Pirate Bay.
This is not the first time that malware of any sort has been found on the popular torrent site; as a matter of fact, the Pirate Bay itself was widely accused of secretly mining cryptocurrencies with its users’ computers last year. However, the new method of infiltration—hail the Trojan Horse—employed by this simple malware accompanied by the astonishingly high number of malicious activities associated with it is definitely interesting.
The malware has sure been lying there for some time, until a security researcher dubbed 0xffff0800 discovered it. The expected wonderful movie—not so great if you are a not a cypherphunk—is the hacker film, The Girl in the Spider’s Web (official trailer). Earlier in the year, a researcher with the hex name reportedly found a .LNK file as a shortcut nestled within the download files and the suspicious icon drew his attention to it. A careful run through the VirusTotal antivirus scanning service revealed some interesting results with some intentionally false in a bid to shroud the main effects.
More in-depth research has however uncovered some details about the thriller hacker movie poised to steal your cryptocurrencies.
The Hackers Poison
The .LNK file is said to execute a PowerShell command which surreptitiously extracts a script from the shortcut. According to BleepingComputer, the malware is a lot more sophisticated than earlier believed, and the initial discovery of the malware’s injection of ads into Google and Yandex’s search results is the least of the problem.
While the malware targets Google’s Search Results by manipulating the top results displayed to a required taste, it also collects fake donations on Wikipedia pages. Once the malware is activated, an ad-banner would appear on the Wikipedia page announcing Wikipedia’s new policy in receiving digital currencies as donations. The Bitcoin and Ethereum addresses given are also part of a more elaborate plan to replace any wallet addresses found on the web page with the scam one: a development that is less likely to be noticed given the length and randomness of a wallet address.
Users have been warned of getting movies from torrent trackers, which in the long run might cost them more than a few hours of entertainment.