Crypto-Stealing Virus Found in Torrented Movie File, Targeting Windows

Colin Muller

A package of extensive exploits found in a fake copy of a torrented movie falsifies search results and redirects cryptocurrency payments, if it can, reports the security website Bleepingcomputer.com.

The exploit suite, found in a fake copy of the movie The Girl in the Spider’s Web (garnering a 40% on Rotten Tomatoes), targets the Windows operating system only. While very robust, the exploit can only target fast-clickers, as the malicious file is not even a media playing filetype, but instead a .LNK shortcut. Bleepingcomputer cited security experts in saying that “weaponized .LNK files are common in pirated content.”

windowsLawl.png

The file opens many attack vectors. One of them produces fake ads and search results on Google and Yandex, by hijacking both Chrome and Firefox browsers to do its bidding, and downloads extensions it needs to function. It deviously redirects searches for things like “spyware” to custom, fake anti-spyware software which is in fact yet more malicious software.

Wikipedia is also targeted when users visit the site, with a fake donation box injected into the page that appears presenting bitcoin and ether addresses (neither has seemed to phish too much coin).

The exploit specifically targets crypto, too, by scanning websites for crypto addresses and replacing them with the attackers’ own addresses. The user, probably not noticing anything wrong, could then simply copy the wrong address into a transaction field. To protect themselves from these attacks, users are always advised to double check the addresses they're sending funds to.

Security in General

CryptoGlobe recently reported on the persisting vulnerability of South Korean exchanges, despite passing government-led security audits. Another report from ICORating, released only a week ago, claimed that a mere 16% of the top 135 cryptoasset exchanges got top marks on security. The majority of exchanges, the report found, had significant security oversites - including some big ones like Binance.

The overall trend of security involving cryptocurrency is that so-called “cryptojacking” - hijacking an unwitting user’s computer and using it to surreptitiously mine cryptocurrency (usually Monero) - is on the wane, while data theft targeting public and private organizations - a style of attack known as “ransomware" - is on the rise.

Businesses and other entities are often targeted by ransomware attacks by having their vital data encrypted, with attackers demanding cryptocurrency payments for the decryption keys.

Bitcoin ‘Sextortion’ Scheme Netted Cybercriminals Over $330,000

Blackmailers have reportedly managed to rake in over $330,000 worth of bitcoin, the flagship cryptocurrency, through an email-based ‘sextortion’ campaign that has been ongoing since at least 2017, and saw its activity surge last year.

According to a report published by UK firm Digital Shadows, the cybercriminals received said amount from over 3,100 unique BTC addresses. The funds ended up in 92 different bitcoin addresses believe to belong to the same organization, that could reportedly be making an average of $540 per victim.

The firm’s report, first spotted by The Next Web, tracked a sample of 792,000 emails sent to victims. The ‘sextortionists’ reportedly sent them an email that would include a known password as “proof” they hacked them, and claimed to have video evidence of them seeing adult content online.

The threat was that the video would be published online, if a ransom in BTC wasn’t paid. Last year, Cornell University computer science professor Emin Gün Sirer warned potential victims to “never pay, never negotiate” with cybercriminals trying to extort them.

Per Sirer, the emails were being sent to every email account on the popular website haveibeenpwned, which shows whether emails addresses had their data leaked on well-known online security incidents.

A Sophisticated Operation

The UK firm’s report seems to show the ‘sextortion’ operation was a sophisticated one, as scammers were seemingly trying to hire more people to help them target high-net-work individuals.

These hires could be getting high salaries, up to $768,000 a year, if they had experience in network management, penetration testing, and programming. The cybercriminals have notably also been using social media to target their victims.

The scammers’ capabilities are said to have varied in skill, as while some struggled to distribute a large amount of emails that could get past email server or spam filters, others managed to show high levels of sophistication, with emails sent from accounts specifically created for the campaigns.

Moreover, these campaigns were launched on a global scale, as the servers the emails came from were in five different continents. The highest amount of emails came from Vietnam, Brazil, and India. These servers could, however, have been compromised by the scammers as well.