Crypto-Stealing Virus Found in Torrented Movie File, Targeting Windows

Colin Muller

A package of extensive exploits found in a fake copy of a torrented movie falsifies search results and redirects cryptocurrency payments, if it can, reports the security website Bleepingcomputer.com.

The exploit suite, found in a fake copy of the movie The Girl in the Spider’s Web (garnering a 40% on Rotten Tomatoes), targets the Windows operating system only. While very robust, the exploit can only target fast-clickers, as the malicious file is not even a media playing filetype, but instead a .LNK shortcut. Bleepingcomputer cited security experts in saying that “weaponized .LNK files are common in pirated content.”

windowsLawl.png

The file opens many attack vectors. One of them produces fake ads and search results on Google and Yandex, by hijacking both Chrome and Firefox browsers to do its bidding, and downloads extensions it needs to function. It deviously redirects searches for things like “spyware” to custom, fake anti-spyware software which is in fact yet more malicious software.

Wikipedia is also targeted when users visit the site, with a fake donation box injected into the page that appears presenting bitcoin and ether addresses (neither has seemed to phish too much coin).

The exploit specifically targets crypto, too, by scanning websites for crypto addresses and replacing them with the attackers’ own addresses. The user, probably not noticing anything wrong, could then simply copy the wrong address into a transaction field. To protect themselves from these attacks, users are always advised to double check the addresses they're sending funds to.

Security in General

CryptoGlobe recently reported on the persisting vulnerability of South Korean exchanges, despite passing government-led security audits. Another report from ICORating, released only a week ago, claimed that a mere 16% of the top 135 cryptoasset exchanges got top marks on security. The majority of exchanges, the report found, had significant security oversites - including some big ones like Binance.

The overall trend of security involving cryptocurrency is that so-called “cryptojacking” - hijacking an unwitting user’s computer and using it to surreptitiously mine cryptocurrency (usually Monero) - is on the wane, while data theft targeting public and private organizations - a style of attack known as “ransomware" - is on the rise.

Businesses and other entities are often targeted by ransomware attacks by having their vital data encrypted, with attackers demanding cryptocurrency payments for the decryption keys.

Weekly Newsletter

Bitpoint Reveals Breakdown of Funds Stolen and Pledges Reimbursement After Hack

Neil Dennis

Japan's Bitpoint cryptocurrency exchange has published a breakdown of the assets lost in this month's security breach where hackers stole around Y3 billion ($28 million), and has pledged to reimburse customers.

A document published by parent company Remix Point on Tuesday showed that of the Y3.02 billion stolen, Y2.6 billion belonged to customers, while Y960 million were company-owned assets.

Here's the full breakdown:

  • Bitcoin BTC1,225 - total stolen worth Y1.53 billion at the time of attack: Y1.28 billion belonging to customers and Y250 million to the exchange
  • Bitcoin cash BCH1,985 - worth Y70 million at time of attack: Y40 million customer owned and Y30 million exchange owned
  • Ether ETH11,169 - worth Y330 million at time of attack: Y240 million customer owned and Y90 million of exhange's
  • Litecoin LTC5,108 - worth Y500 million, with about Y40 million in customer funds
  • XRP28,106,323 - worth Y1.03bn at the time of attack of which around a quarter were customer funds

Reimbursement

Remix Point added in its Tuesday statement that it would reimburse customer losses, compensating them in lost cryptocurrencies rather than their fiat equivalent.

The exchange revealed on Sunday it had already tracked $2.3 million worth of stolen tokens. Reported by Finance Magnates Bitpoint said it had recovered the funds and reabsorbed them.

Bitpoint said last week's security breach occurred due to unauthorized access to private keys of its hot wallets and now intends to move all holding into cold storage, where no breaches of security had been detected.

Co-operation With Regulators

Remix Point said in the document published on Tuesday that it was co-operating with self-regulatory body, the Japan Virtual Currency Exchange Association, to help establish better security measures across the industry.

It requested the association, along with its exchange rivals, monitor any suspicious activity in the coming days that might involve the deposit of funds potentially associated with the incident.