Cybersecurity firm ReasonLabs is warning enthusiastic "Spider-Man: No Way Home" fans to beware of crypto miners if they decide to torrent the movie instead of hitting theaters.
In a new report, the ReasonLabs research team says it found Monero miners attached to Russian torrent files from the new movie, which brought in more than $ 750 million worldwide since it debuted last week.
The miner adds exclusions to Windows Defender, creates persistence and generates a watchdog process to maintain its activity, according to ReasonLabs.
"The malware is not signed or written in .net and, as of this date, is not present in Virus Total. The malware tries to prevent the eyes from examining, using 'legitimate' names for the files and processes it creates. We recommend be especially careful when downloading content from any kind of unofficial sources, be it a document in an email from an unknown sender, a decrypted program from a suspicious download portal or a file from a torrent download, "the team explained. .
"An easy precaution you can take is to always check that the file extension matches the file you expect, for example in this case a movie file should end with '.mp4', not '.exe'. Try to collect information about the file, and always think twice before double-clicking it. To make sure you see the actual file extension, open a folder, go to "View" and check "File name extensions." This will ensure you see the full file type. "
The researchers added that although the malware does not compromise personal information, crypto miners cause other types of damage.
The added electricity will cost victims of the malware and the researchers noted that the miner runs for long periods, slowing down your device and requiring high CPU usage.
When asked how they discovered the cryptocurrency, the ReasonLabs team told ZDNet that they have amassed a large database of malware over the years that allows them to research its origins, mark it, and verify it against other databases such as Total Virus.
One of its users downloaded this "Spider-Man: No Way Home" file and it was flagged in their database as a new threat.
They don't know how many times the file has been downloaded, but they pointed out that it has been around for some time.
"The Spiderman malware is actually a new 'edition' of a previously known malware that disguised itself as various popular apps in the past such as 'Windows Updater', 'Discord app' and now the Spiderman movie. This suggests that it was it has downloaded a lot. No one else has identified this 'edition' of the malware, "the team said.
BreachQuest CTO Jake Williams said that threat actors have used torrents as a malware distribution mechanism long before crypto miners existed.
"I remember seeing a wave of threat actors engaging victims with screensavers celebrating Whitney Houston's career after her passing. Given that crypto miners are the easiest way to collect for threat actors, it is not surprising that threat actors use them as their malware payload of choice, "explained Williams.
Sean Nikkel of Digital Shadows pointed out that there are likely many Gen X and Millennials who remember the days of downloading random files from strangers on Kazaa and Limewire looking for rare or free MP3 or video files and ending up with a Trojan or a similar evil.
The tactic, he said, moved to the world of torrents. In addition to malware attached to popular movies or programs, the same is true of popular applications such as those from Adobe, Microsoft, or specialized music programs such as Ableton or Fruity Loops, which are often hacked.
"Sometimes the key generators themselves were malicious or executable from the application. There have been many office workers looking to take shortcuts or use programs they are familiar with on their work computer. These users run the risk of downloading versions 'free' or versions hosted on bad sites and they end up being burned, "said Nikkel.
Bugcrowd CTO Casey Ellis explained that, from the threat actor's perspective, using a delivery system where users are less likely to seek "technical support" if something appears to be wrong or even support their colleagues or family that your computer might be acting strange, gives them a higher chance that their malware will run on the first one, and once it does, a lower risk of it being discovered and removed.
ReasonLabs said that it is still investigating the origins of the miner, but noted that they constantly see deployed miners as common programs, files of interest, popular applications, current events, etc.
"Miners have become very popular in recent years because it is easy money and attackers are trying to win as many victims as possible, in any way possible, even tricking users into downloading files that are not what they seem," ReasonLabs told ZDNet.
