Crypto-Stealing Virus Found in Torrented Movie File, Targeting Windows

Colin Muller

A package of extensive exploits found in a fake copy of a torrented movie falsifies search results and redirects cryptocurrency payments, if it can, reports the security website Bleepingcomputer.com.

The exploit suite, found in a fake copy of the movie The Girl in the Spider’s Web (garnering a 40% on Rotten Tomatoes), targets the Windows operating system only. While very robust, the exploit can only target fast-clickers, as the malicious file is not even a media playing filetype, but instead a .LNK shortcut. Bleepingcomputer cited security experts in saying that “weaponized .LNK files are common in pirated content.”

windowsLawl.png

The file opens many attack vectors. One of them produces fake ads and search results on Google and Yandex, by hijacking both Chrome and Firefox browsers to do its bidding, and downloads extensions it needs to function. It deviously redirects searches for things like “spyware” to custom, fake anti-spyware software which is in fact yet more malicious software.

Wikipedia is also targeted when users visit the site, with a fake donation box injected into the page that appears presenting bitcoin and ether addresses (neither has seemed to phish too much coin).

The exploit specifically targets crypto, too, by scanning websites for crypto addresses and replacing them with the attackers’ own addresses. The user, probably not noticing anything wrong, could then simply copy the wrong address into a transaction field. To protect themselves from these attacks, users are always advised to double check the addresses they're sending funds to.

Security in General

CryptoGlobe recently reported on the persisting vulnerability of South Korean exchanges, despite passing government-led security audits. Another report from ICORating, released only a week ago, claimed that a mere 16% of the top 135 cryptoasset exchanges got top marks on security. The majority of exchanges, the report found, had significant security oversites - including some big ones like Binance.

The overall trend of security involving cryptocurrency is that so-called “cryptojacking” - hijacking an unwitting user’s computer and using it to surreptitiously mine cryptocurrency (usually Monero) - is on the wane, while data theft targeting public and private organizations - a style of attack known as “ransomware" - is on the rise.

Businesses and other entities are often targeted by ransomware attacks by having their vital data encrypted, with attackers demanding cryptocurrency payments for the decryption keys.

Browser Extentions Are Trying to Steal Your Bitcoin, Says Casa CEO

Will Heasman

Casa CEO, Jeremy Welch has expressed concerns about, malicious browser extensions, noting that some may pose a risk to users' bitcoin holdings. 

Addressing a crowded conference room during this weekend's Baltic Honeybadger meeting in Riga, Welch urged proper due diligence when it came to bitcoin and browser security. 

Browser extensions impose major risks, and these risks haven’t been discussed until this point... Make sure you don’t expose your bitcoin addresses anywhere.

Somewhat unbeknownst to any casual peruser of the internet, dangers lurk around pretty much any URL. Browser extensions are perhaps the most insidious element, containing trackers to monitor user information and gather data. While these may not necessarily be menacing in themselves, they can provide scammers with a great resource to expose users to further threat. 

Speaking further on the matter, Welch elaborated on several examples, including a seemingly harmless extension that provides wallpapers depicting motivational quotes. In reality, this outwardly innocuous add-on is actually malware stealing KYC data as you fill in online compliance forms. Such threats can appropriate identification such as passports via code which is later portrayed as a graphic depiction.  

You got a nice background here, and you don’t realize that your browser is actually dumping data

Moreover, Welch explained how some extensions allow the diversion of funds, altering a receiving address and channeling it to the hacker's own.

Even if wallpaper apps aren't your thing, you may be surprised to learn that Welch highlighted more mainstream iterations, such as editing app, Grammarly, as well as the Joule extension for lightning transactions.  

The issues remain that there is no real way to know which browsers are dependable and which are not. As Welch notes, something as simple as a software update could prove to destabilize the security of a browser extension and provide access for bad actors. 

Featured Image Credit: Photo via Pixabay.com