News Fake Movie File Infects PC to Steal Cryptocurrency, Poison...

Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

-

- Advertisment -

Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

A malicious Windows shortcut file posing as a movie via The Pirate Bay torrent tracker can trigger a chain of mischievous activities on your computer, like injecting content from the attacker into high-profile web sites such as Wikipedia, Google and Yandex Search or by stealing cryptocurrency.

Malware on TPB is not a new thing, but the method used to infect a victim’s computer and the large amount of varied malicious activities discovered by BleepingComputer are quite interesting.

Not the kind of entertainment for a movie fan

It started when security researcher 0xffff0800 found a nasty surprise in the files for the movie The Girl in the Spider’s Web (official trailer – it’s a hacker movie) downloaded from TPB. At that time, the movie had 2,375 seeders.

Instead of a video file, he found a .LNK shortcut that executed a PowerShell command. The icon of the file attracted his attention, so he ran it through VirusTotal antivirus scanning service.

Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

The results returned a low detection rate and indicated a sample of CozyBear, a piece of malware used by an advanced threat actor known by the same name and a few others (APT29, CozyDuke, CozyCar, Grizzly Bear). The group was discovered in 2015 and is still active, targeting Windows platforms.

Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

One of the infection methods still used by the group relies on a weaponized .LNK file that runs a PowerShell command and extracts a script from the shortcut file.

The CozyBear detection was a false one, though. Nick Carr, a member of the FireEye’s Advanced Practices Team, said that weaponized .LNK files are common in pirated content.

He pointed out that this practice became widespread ever since an IT engineer named Felix explained in an April 2017 blog post how to booby trap a shortcut file so it drops a payload.

The method had been used in attacks as early as 2013, but the beginning of 2017 saw a sharp increase in its adoption, revealed a report from Trend Micro in late May that year.

Web injects poison Google and Yandex search results

0xffff0800 shared online the sample of the malicious LNK he had found. A brief analysis conducted by BleepingComputer’s Lawrence Abrams indicates that the rabbit whole is deeper than initially thought.

What appeared to be an ad-injector into the main Google search page turned out to be only the tip of the iceberg.

Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

The malicious activity extends to other webpages, including Google and Yandex search results, and on Wikipedia entries. Another goal is to monitor web pages for Bitcoin and Ethereum wallet addresses and replaces them with others belonging to the attacker.

To do this, the malware modifies registry keys to disable Windows Defender protection if Microsoft’s antivirus is enabled. It also forcibly installs in Firefox an extension called ‘Firefox Protection’ and hijacks the Chrome extension called ‘Chrome Media Router’, with the ID “pkedcjkdefgpdelpbcmbmeomcjbeemfm.”

Immediately after the browser starts, the malware extension connects to a Firebase database and pulls in various settings along with JavaScript code to inject in various web pages. This is where the fun begins.

On a Google search results page the malware injects attacker-promoted search results as the top search results on the page. When running a query for ‘spyware’, for instance, the first two results pointed to websites that recommended a security solution called TotalAV.

Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

The first link in the picture above leads to an antivirus comparison website that places TotalAV as the best and most recommended product compared to more well-known products.

Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

Below you can see the script with the code and templates for altering returned results when running certain queries on Google and Yandex search engines.

Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

The web page injections occurs with other web sites and queries too and the extension includes code for various offers (torrent trackers or cryptocurrency) that get added to the Russian social networking website VKontakte, as can be seen in the image below.

Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

At least one of the above offers is for a torrent site that distributes other executables, such as a Yandex Search toolbar.

Donation scam on Wikipedia

If the victim goes to Wikipedia, the malware’s injection mechanism inserts a fake donation banner that states Wikipedia now accepts cryptocurrency donations and provides two cryptocurrency addresses to send “donate” to.

Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

One wallet is for Bitcoin and at the time of writing had $70 worth of cryptocurrency. The other is for Ethereum and had a balance of almost ETH 4.6, or about $600.

A third bitcoin wallet address was found in the scripts downloaded by the malware, with a balance of $13. This does not appear to be included in the Wikipedia donation scam.

Stealing cryptocurency

All three wallets are part of another malicious task, meant to replace a Bitcoin and Ethereum addresses found on web pages. This tactic does not show any sign that could alert the user of the trick. Because the wallets are a large string of random characters, most users will likely not notice the difference between what they expected to copy and the pasted result.

Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

A bungled command

When executed, the fake movie file will launch PowerShell command that runs a series of other commands that ultimately end by downloading a payload into the %AppData% folder. You can see the properties of the malicious shortcut below that contains the a portion of the PowerShell command.

Fake Movie File Properties
Fake Movie File Properties

The shortcut’s PowerShell connects to a a Command and Control (C2) server, which then redirects the connection to a a Pastebin location that contains a further PowerShell command to execute.

This activity has also been described by 0xffff0800 in a Twitter thread yesterday:

PowerShell Command found in Shortcut
PowerShell Command found in Shortcut

The command above is obfuscated, but will connect to the site http://klis.icu/1, which then redirects to https://pastebin.com/raw/GbDcvb9u. Further requests connect to  http://klis.icu/3 and then http://klis.icu/2, all of which redirect to a pastebin, which contain further PowerShell commands to execute.

Abrams noticed that two hidden executable files were dropped into the C:Program Files (x86)SmartData folder. Although they have different names (‘servicer.exe’ and ‘performer.exe’), they are one and the same.

An attempt to add ‘servicer.exe’ as a service named “Smart Monitoring” was observed during the analysis. However, the cybercriminal botched this step by failing to write the command properly.

Instead of using the command below, with the appropriate spacing after the equals sign,

sc create "Smart Monitoring" binpath= "C:Program Files (x86)SmartDataservicer.exe /srv" start= auto displayname= "Smart Monitoring"

they used it without spacing:

sc create "Smart Monitoring" binpath="C:Program Files (x86)SmartDataservicer.exe /srv" start=auto displayname="Smart Monitoring"

While this did not prevent the malicious extensions from being installed, it no longer had persistence due to its failure to install the service properly.

Be warned that getting movies from torrent trackers can get you more than a few hours of entertainment as malware could lurk in the accompanying files and stay with you for much longer.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

Why could GLBrain become a great solution to receive support during the crisis?

To support smaller and medium-sized businesses during the ongoing crisis, GLBrain offers services cost-free for all Austrians....

Make Fast and Secure Trades Using Bitengo.io

Bitengo.io is a Cryptocurrency trading platform that allows users to buy and sell their Cryptocurrency in a...

Network Security Using Cryptography: Everything you need to know

This article will describe what is Network Security Using Cryptography and everything you need to know before...

Mercuriex Cryptocurrency Exchange Launches New Utility Token, SURF

MercuriEx Cryptocurrency Exchange, originally developed in 2017, came under new ownership in December 2019. Since taking over the exchange,...
- Advertisement -Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

Fungibility: Bitcoin Mixers Favorite Term That No One Understands

Fungibility, perhaps the most important concept when dealing with a decentralized and anonymous currency, but does bitcoin...

Crypto can’t thrive in the real world – but stablecoins can

We can safely say that the hype about cryptocurrencies is pretty much over. The claims of Bitcoin...

Must read

Make Fast and Secure Trades Using Bitengo.io

Bitengo.io is a Cryptocurrency trading platform that...
- Advertisement -Fake Movie File Infects PC to Steal Cryptocurrency, Poison Google ResultsFake Movie File Infects PC to Steal Cryptocurrency, Poison Google Results

You might also likeRELATED
Recommended to you