Beware of cryptominers during ‘Spider-Man: No Way Home’ torrent

Cyber ​​security firm ReasonLabs is warning eager “Spider-Man: No Way Home” fans to be wary of cryptominers if they decide to torrent the movie instead of heading to the theaters for it.

In a new report, the ReasonLabs research team says they have found Monero miners attached to Russian torrent files for the new film, which has grossed more than $ 750 million worldwide since its debut last week.

The miner adds exclusions to Windows Defender, creates persistence, and spawns a monitoring process to keep it running, according to ReasonLabs.

“The malware is not signed and written in .net, and to date it is not present in Virus Total. The malware tries not to examine the eyes, using ‘legitimate’ names for files and the processes it creates We recommend that you take extra care when downloading content of any kind from unofficial sources – whether it is a document in an email from an unknown sender , a hacked program from a fish download portal or a file from a torrent download, ”the team explained.

“A simple precaution you can take is to always check that the file extension matches the file you expect, for example in this case a movie file should end with ‘.mp4’, not ‘.exe’. Try to gather information about the file, and always think twice before double clicking on it. To make sure you see the real file extension, open a folder, go to “View” and check “File name extensions” This will ensure that you see the complete file type. ”

The researchers added that while the malware does not compromise personal information, cryptominers do other types of damage.

The extra electricity will cost victims of the malware, and the researchers noted that the miner runs for long periods of time, slowing down your device while requiring high CPU usage.

When asked how they discovered the cryptominer, the ReasonLabs team told ZDNet that they have accumulated a large database of malware over the years that allows them to research their origins, report them. and check with other databases such as Virus Total.

One of their users downloaded this “Spider-Man: No Way Home” file and it was flagged in their database as a new threat.

They don’t know how many times the file has been downloaded, but have noted that it has been around for some time.

“The Spiderman malware is actually a new ‘edition’ of previously known malware that was disguised as various popular applications in the past such as ‘windows updater’, ‘discord app’ and now the Spiderman movie. has been downloaded, no one else has identified this ‘edition’ of the malware, ”the team said.

BreachQuest CTO Jake Williams said malicious actors were using torrents as a malware distribution mechanism long before cryptominers were a thing.

“I remember seeing a wave of threatening actors compromising victims with screensavers celebrating Whitney Houston’s career following her death. Since cryptominers are the easiest way for malicious actors to To cash in, it’s no surprise that malicious actors are using them as their payload of choice for malware, ”explained Williams.

Sean Nikkel of Digital Shadows noted that there are probably a lot of Gen X and Millennials who remember the days when they would download random files from strangers in Kazaa and Limewire looking for files. Rare or free mp3 or video and ended up with a trojan or similar nastiness.

The tactic, he said, has been applied in the torrent world. In addition to malware attached to popular movies or shows, the same happens with popular apps like those from Adobe, Microsoft, or specialist music programs like Ableton or Fruity Loops, which are themselves often hacked.

“Sometimes the key generators themselves were malicious or the application executable. Many office workers have sought to cut costs or use programs they are familiar with on their work computers. These users run the risk of downloading “free” versions or versions. hosted on bad sites and end up getting burned, ”Nikkel said.

Bugcrowd CTO Casey Ellis explained that, from the threatening actor’s perspective, using a broadcast system where users are less likely to ask for “tech support” if something doesn’t seem right. not normal or even admitting to their peers or family that their computer might behave strangely, gives them an increased likelihood of their malware running in the first instance, and once it does, a lower risk that they are discovered and deleted.

ReasonLabs said they are still researching the origins of the miner, but noted that they constantly see miners deployed as common programs, files of interest, popular apps, current events, and more.

“Miners have become very popular in recent years because it’s easy money and attackers try to kill as many people as possible – by any means possible, including tricking users into downloading. files that aren’t what they appear to be, ”ReasonLabs told ZDNet.

Comments are closed.