A Monero miner was found in a torrent download of what researchers believe is the new movie, Spider-Man: No Way Home.
A ReasonLabs blog post reported that the file is identified as: spiderman_net_putidomoi.torrent.exe. This translates from Russian to: spiderman_no_wayhome.torrent.exe.
Researchers theorize that the file’s origin likely came from a Russian torrent website. According to the researchers, the miner adds exclusions to Windows Defender, creates persistence and generates a watchdog process to maintain its activity.
Hiding a cryptominer or similar malware in an attractive file, like the new Spider-Man movie, is nothing new, said Sean Nikkel, senior cyber threat intelligence analyst at Digital Shadows. Nikkel said that there are many GenXers and Millennials who remember the days of downloading random files from strangers on Kazaa and Limewire in search of rare or free MP3 or video files and ended up with a Trojan or similar evil.
“Unfortunately, the tactic carried over to the world of Torrent,” Nikkel said. “There have been many instances of people downloading the wrong file, thinking it was a popular movie, a TV show, or a new remix. While we are on the subject, the same is true of popular applications, such as those from Adobe, Microsoft, or specialized music programs that are often hacked. Sometimes the key generators themselves were malicious or the applications are executable. There have been many office workers looking to take shortcuts or use familiar programs on their work computer. These users run the risk of downloading “free” versions or versions hosted on faulty sites and end up burning. “
Jake Williams, co-founder and CTO of BreachQuest, added that threat actors have long used torrents as a malware distribution mechanism, in fact, long before crypto miners emerged as a force. Williams said a torrent “with Trojans” does not benefit the threat actor if no one downloads it, so threat actors will continue to capitalize on the latest developments.
“I remember seeing a wave of threat actors engaging victims with screen savers celebrating Whitney Houston’s career in the wake of her passing,” Williams said. “Since crypto miners are the easiest way for threat actors to withdraw money, it is not surprising that threat actors are using them as their malware payload of choice.”
Jasmine Henry, JupiterOne’s director of field security, said it has been extremely common for more than a decade for threat actors to attach crypto miners and other malware to popular torrent files.
“Security teams should review their acceptable use policies and periodically remind employees that illegal file sharing between peers at home or on work devices carries some pretty nasty security risks,” Henry said.