Hackers using famous movies to spread malware through torrents

Recently downloaded “John Wick 3” or “Contagion” through torrent?, it can be malware, Microsoft warns.


There are websites like The Pirate Bay or its alternatives known for providing quality torrent files but then there are prominent torrent uploaders like CracksNow caught distributing GrandCrab ransomware through torrent files.


Now, once again, movie buffs must exercise caution while downloading their favorite new movies via torrent sites as Microsoft’s Security Intelligence researchers have identified an active campaign in which coin-mining malware is injected in movie torrents.


What’s rather unusual about this campaign is that torrent users in South America, Chile, Mexico, and Spain are the primary targets and US movie piracy platforms are safe for now.


Microsoft issued a warning on its Twitter handle that read:

“With lockdown still in place in many parts of the world, attackers are paying attention to the increase in the use of pirate streaming services and torrent downloads. We saw an active coin miner campaign that inserts a malicious VBScript into ZIP files posing as movie downloads.”

The malware isn’t only limited to John Wick 3 and Contagion but these are the most downloaded ones so far. Other movie torrents infected with malicious payload also include Spanish movies. 


Researchers claim that the attackers have embedded a VBScript in the movie’s ZIP folder, and the ZIP files are titled according to the movie, such as John_Wick_3_Parabellum and contagio-1080p.


When a user clicks on the movie’s ZIP folder, the malicious VBScript launches and executes a command to download additional components. Part of the new components is an AutoIT script that decrypts second-stage DLL (Dynamic Link Library). The DLL is decoded to directly inject coin-mining code into the device’s memory.



The attackers haven’t left a trace as yet, which is why their identities still remain hidden. The campaign was discovered on April 11, and initially, it appeared in bootleg film files. 


As per Microsoft’s analysis, attackers are trying to use old techniques to benefit from the COVID-19 pandemic as people are forced to stay home and the rate of movie torrents site visits has spiked in the past two months.


Piracy-monitoring firm Muso reports that there has been a 50% increment in the use of movie torrents in Spain during lockdown while other countries including the USA have reported a 40% increase in the same. Unsurprisingly, this provides the attackers a perfect opportunity to use popular movies as a lure to make some profits.


Source:Paper.li

Recent Posts

See All

Build simple fuzzer - part 1

First of all, we are learning here and this fuzzer is in no way going to be a proper tool used against real targets (at least not initially). This is why we are going to code it in python. For real to

Build simple fuzzer - part 2

In the previous part of this mini-series we’ve implemented a very simple fuzzer. As the main idea behind it is being an exercise therefore I don’t think it is capable of finding bugs in complex target