Cybersecurity researchers at ReasonLabs warned that the illegal download of ‘Spider-Man: No Way Home’ on peer-to-peer sharing sites was infected with torrent malware.
The team explained that the Spider-Man malware was a new version of a known persistent crypto miner from Monero, previously disguised as popular apps like the Windows Updater, the Discord app, among others.
According to the researchers, the malware employs various cloaking techniques to avoid detection by various security solutions while running persistently on infected devices.
Although they were unable to determine how many users had downloaded the torrent, they suggested that the malware existed for quite some time.
Spider-Man crypto miner is absent from most virus databases
Researchers at ReasonLabs said they discovered the Spider-Man torrent malware after one of its users downloaded an infected file that was marked as malware.
They attributed the detection to their extensive malware database which allows them to flag various threats and check them against other databases such as Virus Total.
However, they noticed that Spider-Man torrent malware that was not signed and written in .NET, was absent from the VirusTotal malware database and did not match any known suspicious files.
“The file is identified as” Spiderman_net_putidomoi.torrent.exe “, which translates from Russian as” Spiderman_no_wayhome.torrent.exe “. The source of the file is probably from a Russian torrent website.”
Spider-Man torrent malware adds exclusions to Microsoft Defender, injects itself into svchost.exe
Researchers noted that Spider-Man torrent malware tries to disguise its malicious nature by creating files and processes with legitimate names. The strategy allows the crypto miner to run in the background without raising suspicions.
Additionally, torrent malware claims to originate from Google, creates sihost64.exe and WR64.sys files, unzips a compressed file at runtime, injects its contents into the svchost.exe process, and adds exclusions to Microsoft Defender. The crypto miner also creates a “watchdog process” to kill any service with its components to ensure only one instance is running.
Torrent malware also hides function names and strings using base64 encoding. However, the researchers determined that the crypto miner was a variant of SilentXMRMiner.
Although the crypto miner does not compromise users’ information, it drains the power and CPU of the computer, drastically slowing down the device and increasing the electricity bill.
Sean Nikkel, Intel’s senior analyst on cyber threats at Digital Shadows, said that hiding crypto miners in the Spider-Man movie archive or other popular multimedia assets was an old tactic that had been carried over to file-sharing sites from around the world. equal to equal.
“There are probably many Gen Xers and Millennials who remember the days of downloading random files from strangers on Kazaa and Limewire looking for free or rare MP3 or video files and ended up with a Trojan or similar evil.”
Jasmine Henry, director of field security for JupiterOne, recommended that organizations educate their employees on the file download policy.
“Security teams should review their acceptable use policies and periodically remind employees that illegal file sharing between peers at home or on work devices carries some pretty nasty security risks.”
Researchers at ReasonLabs advise users to check file extensions while downloading content online to make sure it matches the content type. For example, users should ensure that a movie file ends in an extension “.mp4” instead of “.exe”.
Windows users can enable actual file extensions by opening a folder, clicking “View” and checking the “File name extensions” box. Otherwise, threat actors could include bogus file extensions as part of the file name to mislead users.
Also, they need to gather information about the file and think twice before double-clicking on it.
“We recommend taking extra care when downloading content from any kind of unofficial sources, be it a document in an email from an unknown sender, a decrypted program from a suspicious download portal, or a file from a torrent download,” said the officials. researchers. wrote.
ReasonLabs also noted that threat actors were increasingly deploying crypto miners disguised as popular apps or files and tricking many users into downloading them to get more victims.
Jake Williams, co-founder and CTO of BreachQuest, noted that crypto miners were an easy way for criminals to charge, making them the preferred payload for many criminals.
“Threat actors have long used torrents as a malware distribution mechanism, in fact long before crypto miners existed,” Williams said. “A trojanized torrent does not benefit the threat actor if no one downloads it, so we should expect that threat actors continue to take advantage of the latest developments.”
Tim Wade, technical director of Vectra’s CTO team, suggested that crypto miners were more attractive to less experienced criminals.
“Spreading malicious payloads as a small additional bonus across illegitimate media-sharing services has been a time-honored tradition for as long as I can remember. The fact that today’s soup includes crypto miners is just a reflection of the current monetization preferences of today’s unseen. “