A malicious file capable of stealing cryptocurrencies was recently caught infiltrated as a movie torrent on The Pirate Bay torrent tracker.
The Windows shortcut that affects the mentioned operating system is a malware that apart from its ability to redirect cryptocurrency payments from the infected devices, can also trigger a chain of other mischievous actions on the victims' computers.
The Girl in the Spider's Web Just the Tip of the Iceberg
The hidden malware can be detected infiltrated as a torrent for the movie The Girl in the Spider's Web, which ironically is a film about a hacker, and it really only affects fast clickers and inexperienced users. The torrent at the time of its initial detection had over 2,000 seeders.
A security researcher going by the Twitter handle "@0xffff0800" was the one who discovered the file, after noticing that instead of a movie file, The Pirate Bay torrent carried an .LNK shortcut with a low detection rate.
He shared this with his followers on Twitter, and the discovery caught the attention of the media due to its unusual nature.
An analysis conducted by Lawrence Abrams from BleepingComputer shows that the malicious .LNK file is just the tip of the iceberg, and the problem is much more severe than initially thought.
Keep an Eye on Your Crypto Wallets
After installing the malware, its malicious movement extends to more than your device, including websites such as Wikipedia or your Google search results.
Namely, it injects a JavaScript code to some websites.
In Google's case, you will be tricked by getting fake attacker-promoted search results on the top of the list.
According to research done by Advanced Web Ranking, around 33 percent of the whole traffic on Google goes to the first article that appears in the results.
Therefore, your chances of opening an ad put there by a malicious ad-injector are quite high.
When it comes to Wikipedia, the moment the victim visits the website, the malware inserts a fake banner for cryptocurrency donations and two addresses where people can "donate" their coins.
The banner asks for help from the readers in the form of donations to their "fundraiser" that helps the website cover its costs.
The malware also monitors websites for your cryptocurrency wallet addresses and then replaces them with others that belong to the person or people behind the attack.
That way, if the victim is not careful enough and does not check the address, the money will be transferred to a different one, therefore stealing cryptocurrency from the owner.
CozyBear Malware: A False Alarm?
Considering that the file is an .LNK shortcut, not a media file, the malware's ideal targets are users that click the torrents without checking them twice, or inexperienced ones that cannot differentiate the files.
According to BleepingComputer, these files are common in content that is pirated, such as files available on one of the most popular torrent trackers, The Pirate Bay.
The file targets only Windows devices, by disabling their Windows Defender.
The once-installed shortcut executes a PowerShell command that can't be detected by an antivirus easily.
According to the twit that 0xffff0800 posted, the malware showed a low to medium detection rate.
The virus scans, or at least those that could recognize the file as malicious, detected the CozyBear malware.
This malware is used by a group of Russian hackers that goes by the same name and was first seen back in 2008.
The group was even connected to a cyberattack targeting the U.S. Pentagon's email system. The CozyBear hackers use .LNK shortcuts in their attacks.
However, the CozyBear detection was a false one as Nick Carr, a member of the FireEye's Advanced Practices Team, replied to the Twitter thread that these weaponized .LNK files are a common occurrence lately.
Apparently, they've grown bigger in use ever since 2017 when an IT engineer explained in a blog post how these shortcuts can be used to drop a payload.
As a result of this, this particular type of attack grew much bigger in 2017, although they have been around since 2013.
