Pirate streaming services and movie piracy sites have seen a huge surge of incoming traffic during the COVID-19 pandemic with most people now having to stay inside due to shelter in place and lockdown orders.
Microsoft warns that malicious actors are taking advantage of this trend trying to infect potential victims with malware delivered via fake movie torrents.
“With lockdown still in place in many parts of the world, attackers are paying attention to the increase in use of pirate streaming services and torrent downloads,” the Microsoft Security Intelligence team said.
“We saw an active coin miner campaign that inserts a malicious VBScript into ZIP files posing as movie downloads.”
Fake movies dropping coinminers into memory
The attackers behind this campaign are primarily targeting home users to enterprises from Spain and some South American countries with the end goal of launching a coinminer directly into the compromised devices’ memory.
The malicious VBScript is camouflaged as popular Hollywood movies such as John Wick: Chapter 3 – Parabellum, and it is delivered using file names such as “John_Wick_3_Parabellum,” and “contagio-1080p,” as well as Spanish titles “Punales_por_la_espalda_BluRay_1080p,” “La_hija_de_un_ladron,” and “Lo-dejo-cuando-quiera.”
After the targets launch the VBScript on their computers, it will download additional malicious payloads in the background by abusing living-off-the-land binaries (LOLbins) such as the legitimate command-line BITSAdmin tool.
One of these additional malware components is an AutoIT script that decodes a second-stage DLL into the infected computer’s memory, which will then reflectively load a third DLL that injects coin-mining code into a notepad.exe process through process hollowing.
“The use of torrent downloads is consistent with our observation that attackers are repurposing old techniques to take advantage of the current crisis,” Microsoft added.
The VBScript runs a command line that uses BITSAdmin to download more components, including an AutoIT script, which decodes a second-stage DLL. The in-memory DLL then injects a coin-mining code into notepad.exe through process hollowing.
— Microsoft Security Intelligence (@MsftSecIntel) April 28, 2020
Oscar-nominated movies also used as phishing baits
Attackers were also exploiting the hype surrounding this year’s Oscar Best Picture nominated movies in February as lures designed to help them infect fans with malware and to bait them to phishing landing pages that would harvest their financial and personal info.
This is nothing new, however, as high-profile movies and TV shows are frequently used as social engineering baits promising early previews either in the form of malicious files disguised as early released copies or fake streaming sites.
Kaspersky researchers who discovered those phishing attacks “found more than 20 phishing websites and 925 malicious files that were presented as free movies, only to attack the user.”
“However, as they always prey on something when it becomes a hot trend, they depend on users’ demand and actual file availability,” the researchers added at the time.
“To avoid being tricked by criminals, stick to legal streaming platforms and subscriptions to ensure you can enjoy a nice evening in front of the TV without having to worry about any threats.”