The plans of the security researcher under with the twitter username 0xffff0800 to spend a relaxing movie night at home did not turn out as he expected since after downloading a movie from a torrent uploaded to The Pirate Bay, he found a new (and interesting) type of malware that almost infects his computer.
Did I almost get infected from a new CozyBear Sample?! I was downloading a new movie that I have been waiting for awhile for a HD version.. So Today a promising looking one got uploaded today. So I went and downloaded it and scanned for malware with two engines.. Nothing came up.
— 0xffff0800 (@0xffff0800) January 11, 2019
So once I downloaded and thought it looked weird due to the icon of the download AVI.. I through it in a Hex Editor, and oh.. There is some kind of powershell.. WTF? Put it through Virustotal.. and what do you know! CozyBear putting droppers in Hacker Movies Now?! pic.twitter.com/o0yU7HWCtX
— 0xffff0800 (@0xffff0800) January 11, 2019
The film downloaded by the expert was a copy of “The Girl in the Spider’s Web” a film -ironically- with a hacker thematic. Instead of containing the movie, the folder had a file with the name of the movie and a .lnk extension which, upon being opened, executed a malicious command that deployed an ad-injector on various search engines such as Google and Yandex (a very popular search portal in Russia and surrounding countries).
After detecting the threat, 0xffff0800 shared its finding on social networks and uploaded an example of the file for other fellow researchers to analyze. Apparently, one of the hobbies of this expert is “collecting” malware.
Picture of the sample itself, and here's the download for the sample from it all. Password: infected. hxxps://mega.nz/#!N80XUCza!rgQMgunzj8qHHlVDCypxBXNrNYa_ZE8oDk3LatADBwg enjoy. pic.twitter.com/waE9G4iPbu
— 0xffff0800 (@0xffff0800) January 11, 2019
People at Bleeping Computer took a closer look at the archive, and their findings were more surprising. The malware hid much more than it appeared to the naked eye.
The malicious activity extends to other web pages, including Google and Yandex search results, and on Wikipedia entries. Another goal is to monitor web pages for Bitcoin and Ethereum wallet addresses and replaces them with others belonging to the attacker.”
The main objective of attacking search engines is to affect the results to position in the first places of the results a series of web pages with “injected” ads.
However, the attackers were not only looking to make money out of ads. The group of hackers who programmed the malware also coded it in such a way that if the victim were to visit Wikipedia, the malware would insert a fake donation button showing two Bitcoin and Ethereum wallet addresses available for those willing to contribute to the encyclopedia. According to Bleeping Computer, the hackers had raised nearly $700 worth in crypto.
The use of malware is not new to the blockchain industry, over the past year, there has been a boom in the use of such tools to get money via stealth crypto mining. Monero (XMR) was the main blockchain used for this practice back in 2017 and 2018.
