Crypto-Stealing Virus Found in Torrented Movie File, Targeting Windows

Colin Muller

A package of extensive exploits found in a fake copy of a torrented movie falsifies search results and redirects cryptocurrency payments, if it can, reports the security website Bleepingcomputer.com.

The exploit suite, found in a fake copy of the movie The Girl in the Spider’s Web (garnering a 40% on Rotten Tomatoes), targets the Windows operating system only. While very robust, the exploit can only target fast-clickers, as the malicious file is not even a media playing filetype, but instead a .LNK shortcut. Bleepingcomputer cited security experts in saying that “weaponized .LNK files are common in pirated content.”

windowsLawl.png

The file opens many attack vectors. One of them produces fake ads and search results on Google and Yandex, by hijacking both Chrome and Firefox browsers to do its bidding, and downloads extensions it needs to function. It deviously redirects searches for things like “spyware” to custom, fake anti-spyware software which is in fact yet more malicious software.

Wikipedia is also targeted when users visit the site, with a fake donation box injected into the page that appears presenting bitcoin and ether addresses (neither has seemed to phish too much coin).

The exploit specifically targets crypto, too, by scanning websites for crypto addresses and replacing them with the attackers’ own addresses. The user, probably not noticing anything wrong, could then simply copy the wrong address into a transaction field. To protect themselves from these attacks, users are always advised to double check the addresses they're sending funds to.

Security in General

CryptoGlobe recently reported on the persisting vulnerability of South Korean exchanges, despite passing government-led security audits. Another report from ICORating, released only a week ago, claimed that a mere 16% of the top 135 cryptoasset exchanges got top marks on security. The majority of exchanges, the report found, had significant security oversites - including some big ones like Binance.

The overall trend of security involving cryptocurrency is that so-called “cryptojacking” - hijacking an unwitting user’s computer and using it to surreptitiously mine cryptocurrency (usually Monero) - is on the wane, while data theft targeting public and private organizations - a style of attack known as “ransomware" - is on the rise.

Businesses and other entities are often targeted by ransomware attacks by having their vital data encrypted, with attackers demanding cryptocurrency payments for the decryption keys.

Malicious Malware Program Hidden Under Fake Wasabi Bitcoin Wallet Links

Cryptocurrency scammers have reportedly created a fake website that contains several links to download the widely-used Wasabi Bitcoin (BTC) wallet. However, some of these are “spoofed” links because they don’t actually lead to official Wasabi website.

Those looking to download the Windows version of the open-source Wasabi cryptocurrency wallet should be careful because online scammers have placed a malicious file with an “.msi” extension under what appears to be a link to Wasabi’s Windows OS-compatible wallet.

The fraudulent site, wasabibitcoinwallet.org, created by an unknown group of hackers, lists four different versions of Wasabi’s wallet. These include wallet links for macOS, Linux, and Windows users.

“The First Malware That Pretends To Be Wasabi”

Twitter user @nopara73, the co-founder of Wasabi wallet, revealed via the microblogging platform that he had discovered what could be “the first malware that pretends to be Wasabi (http://wasabibitcoinwallet.org).” He also pointed out that “only the Windows download link points to their own website, [while] the rest” of the links were to their GitHub page.

Using A Decompiler To Deconstruct Hackers' Original Source Code

Going on to caution against the potential severity of the problem, the Wasabi wallet developer noted that no search engines were able to detect the malicious file (with the “.msi” extension).

Commenting on the matter, Nicolas Dorier, a C# and Bitcoin developer, recommended “installing [the program] on a virtual machine (VM), extracting the files, and [trying to] disassemble” with ILSpy, an open-source .NET assembly and decompiler. This, Dorier said, will help in determining “what sh*t they are doing.”

Malware Programs Can Adjust Their Behavior By Detecting A Virtual Machine Environment

Acknowledging that Dorier’s suggestion may be helpful, the Wasabi co-founder said that he would try to look into this issue. However, he said his time would be better spent “building rather than this.”

Meanwhile, Ethan Heilman, the CTO and co-founder of Arwen, an organization focused on the development of security solutions for centralized digital asset exchanges, warned against running the malware through a VM. Heilman explained that VMs “were not intended to used for  isolating malicious code.” He added that “lots of malware checks [whether] it is running in a VM [environment] and changes its behavior [accordingly]."

He also suggested:

You should isolate your analysis machine from your developer [or code execution] machine by using a different computer for malware analysis and creating an isolated network environment.