Recently downloaded “John Wick 3” or “Contagion” through torrent?, it can be malware, Microsoft warns.
There are websites like The Pirate Bay or its alternatives known for providing quality torrent files but then there are prominent torrent uploaders like CracksNow caught distributing GrandCrab ransomware through torrent files.
Now, once again, movie buffs must exercise caution while downloading their favorite new movies via torrent sites as Microsoft’s Security Intelligence researchers have identified an active campaign in which coin-mining malware is injected in movie torrents.
What’s rather unusual about this campaign is that torrent users in South America, Chile, Mexico, and Spain are the primary targets and US movie piracy platforms are safe for now.
Bonus: Best legal & free online streaming sites for movies & TV shows 2020 (no signup or payment card required)
Microsoft issued a warning on its Twitter handle that read:
“With lockdown still in place in many parts of the world, attackers are paying attention to the increase in the use of pirate streaming services and torrent downloads. We saw an active coin miner campaign that inserts a malicious VBScript into ZIP files posing as movie downloads.”
The malware isn’t only limited to John Wick 3 and Contagion but these are the most downloaded ones so far. Other movie torrents infected with malicious payload also include Spanish movies.
Researchers claim that the attackers have embedded a VBScript in the movie’s ZIP folder, and the ZIP files are titled according to the movie, such as John_Wick_3_Parabellum and contagio-1080p.
When a user clicks on the movie’s ZIP folder, the malicious VBScript launches and executes a command to download additional components. Part of the new components is an AutoIT script that decrypts second-stage DLL (Dynamic Link Library). The DLL is decoded to directly inject coin-mining code into the device’s memory.
The use of torrent downloads is consistent with our observation that attackers are repurposing old techniques to take advantage of the current crisis. Behavior-based protections detect this VBScript threat.
— Microsoft Threat Intelligence (@MsftSecIntel) April 28, 2020
The attackers haven’t left a trace as yet, which is why their identities still remain hidden. The campaign was discovered on April 11, and initially, it appeared in bootleg film files.
As per Microsoft’s analysis, attackers are trying to use old techniques to benefit from the COVID-19 pandemic as people are forced to stay home and the rate of movie torrents site visits has spiked in the past two months.
Piracy-monitoring firm Muso reports that there has been a 50% increment in the use of movie torrents in Spain during lockdown while other countries including the USA have reported a 40% increase in the same. Unsurprisingly, this provides the attackers a perfect opportunity to use popular movies as a lure to make some profits.