Russian-sourced malware targeting PC users that download movie files from Pirate Bay is being used to steal cryptocurrencies, “poison” people’s browsers with compromised pop-ups and even divert Wikipedia donations to attackers, Bleeping Computer reports.
The malicious file was discovered by security researcher 0xffff0800 in a copy of the movie “The Girl in the Spider’s Web” the researcher obtained from Pirate Bay, a popular site that coordinates the “torrenting” (fragmented storage and redistribution) of pirated files.
The site is a popular place for the computer savvy to obtain content without having to pay.
Once broken up, a movie file can be collectively stored by many users and can flow past content-protecting gates.
For example, at the time the infection was detected, the infected movie in question had been broken into 2 375 ‘seeder’ files.
Noticing that one of those files contained an unusual icon, the researcher 0xffff0800 “ran it through VirusTotal antivirus scanning service” and determined that the file contained:
“…a sample of CozyBear, a piece of malware used by an advanced threat actor known by the same name and a few others (APT29, CozyDuke, CozyCar, Grizzly Bear). The group was discovered in 2015 and is still active, targeting Windows platforms.”
According to Crowdstrike, Cozy Bear works for Russian intelligence, and:
“…is the adversary group that last year successfully infiltrated the unclassified networks of the White House, State Department, and US Joint Chiefs of Staff. In addition to the US government, they have targeted organizations across the Defense, Energy, Extractive, Financial, Insurance, Legal, Manufacturing Media, Think Tanks, Pharmaceutical, Research and Technology industries, along with Universities. Victims have also been observed in Western Europe, Brazil, China, Japan, Mexico, New Zealand, South Korea, Turkey and Central Asian countries.
Crowdstrike and others claim that Cozy Bear favours distributing infected phishing emails in indiscriminate wide swath and then going back to harvest from promising infected computers:
“COZY BEAR’s preferred intrusion method is a broadly targeted spearphish campaign that typically includes web links to a malicious dropper.”
Once the compromised movie file is active in a user’s system, it works to detect the presence of Bitcoin and Ethereum wallets and hijack transiting cryptocurrencies there:
“The malicious activity extends to other web pages, including Google and Yandex search results, and on Wikipedia entries. Another goal is to monitor web pages for Bitcoin and Ethereum wallet addresses and replaces them with others belonging to the attacker.”
The malware also:
- “disable(s) Windows Defender protection if Microsoft’s antivirus is enabled”
- “forcibly installs in Firefox an extension called ‘Firefox Protection'” (fake protection)
- “hijacks the Chrome extension called ‘Chrome Media Router’…(and) connects to a Firebase database…(to) pull in various settings along with JavaScript code to inject in various web pages…”
- “injects attacker-promoted search results as the top search results on (Google search page)…When running a query for ‘spyware’, for instance, the first two results pointed to websites that recommended a security solution called TotalAV.”
These extensions also include, “…code for various offers (torrent trackers or cryptocurrency) that get added to the Russian social networking website VKontakte.”
The malware also creates a fake banner stating that Wikipedia is now accepting crypto donations and then collects the money sent there:
“If the victim goes to Wikipedia, the malware’s injection mechanism inserts a fake donation banner that states Wikipedia now accepts cryptocurrency donations and provides two cryptocurrency addresses to ‘donate’ to.”
Bleeping Computer checked those wallets and found only small amounts of crypto in them at this time.
Bleeping Computer author Ionut Ilascu ends by cautioning people about pirated torrent files:
“Be warned that getting movies from torrent trackers can get you more than a few hours of entertainment as malware could lurk in the accompanying files and stay with you for much longer.”