‘Spider-Man: No Way Home’ Download Installs Cryptominer

[silversurfer]

Content source

https://threatpost.com/spider-man-no-way-home-download-installs-cryptominer/177254/

Global buzz around the release of Spider-Man: No Way Home is making tons of online noise – an ideal environment for cybercriminals to spread a Monero cryptominer disguised as a download of the newly released film.

A torrent download of Spider-Man: No Way Home is circulating, infected with a persistent Monero cryptominer, according to a new alert from ReasonLabs.

The file was flagged by a user and didn’t match any other known suspicious files in their database, the report said.

Although the researchers haven’t pinpointed how many times the miner has been downloaded, their hunch is that it’s been around for a while, they explained in a statement.

“The Spiderman malware is actually a new ‘edition’ of a previously known malware that was disguised as various popular apps in the past such as ‘windows updater,’ ‘discord app,’ and now the Spiderman movie,” the ReasonLabs teams explained in a Thursday report. “This suggests that it’s been downloaded a lot.” They added that as of yet, no one has identified this malware edition.

‘Spider-Man: No Way Home’ Download Installs Cryptominer

The origin of the Monero cryptominer file has been traced to a Russian torrent website, researchers report.

threatpost.com

 

[Freki123]

I didn't like the "and is capable of adding exclusions to Windows Defender. It also adds a “watchdog process” for persistence."
That could be something for @Andy Ful to play with

 

[Andy Ful]

I didn't like the "and is capable of adding exclusions to Windows Defender. It also adds a “watchdog process” for persistence."
That could be something for @Andy Ful to play with

Yes, it is a very sensible malware that can attack home users. I will examine it in the SWH thread.

 

[HarborFront]

I played the Spider-Man: No Way Home movie downloaded from the net but KIS and WiseVectorX never beep for cryptominer

How to check for the cryptominer for the copy of my movie?

 

[Andy Ful]

I played the Spider-Man: No Way Home movie downloaded from the net but KIS and WiseVectorX never beep for cryptominer

How to check for the cryptominer for the copy of my movie?

This malware is not a movie. It is an EXE file with the name of the torrent file of the movie. So, the AV can detect it (or cannot) just like any EXE malware. I am sure that is not true that KIS and WiseVectorX never beep for crypto miners.

 

[cruelsister]

I'm surprised that a big deal is made of this one. First off, i would hope that those downloading movies/songs, etc will at least look at the file extension. A movie with an exe extension should be a proper danger warning.

Second, this miner is certainly not very new or different. Personally I would think that the miner version used should at least come with a fake Microsoft certificate, like: VirusTotal

Just about ANY AV (even MB) will detect/delete the spawned processes and persistence entries that are spawned by the malware. In short, nothing to worry about.

 

[Freki123]

For me the wording of the article sounded that when you are unable to see that movie.exe is not a movie and execute the file that it will then add exclusions for MS Defender make itself persistent and all that while not being detected.
For me it read that it just bypassed MS detection while doing all that. That's why I found it interesting.
If it gets detected then it is a whole other story.
Since I'm not native in english I have the tendency to understand stuff sometimes in my own way that can be totally different from the rest of the readers

 

[Andy Ful]

Such malware is not a big deal for moderately cautious users, but it can be very successful when infecting happy-clickers. There are still many people who use torrents to download games and videos. They are highly motivated and they know that downloading videos or games by torrents is illegal in most countries (on the contrary to normal downloads). They can expect that Windows security or an AV can complain and show some alerts (which they do not understand).
From my experience, the miners that use legal code (this one is open source available on GitHub) can be undetected for several days.
The hash of this cryptojacking malware (e1550f24ae3e1cfdb8f35c693b2715ca5cc90d5b) is still absent on VirusTotal.

Edit.
When attacking home users for profit, the cryptojacking is much more sensible than ransomware attacks. Of course, it is also profitable when attacking Enterprises, schools, universities, etc.

What is Cryptojacking, and how does it affect your Cybersecurity? | SonicWall

Cryptojacking impacting your business? Learn how to spot cryptominer infections and get best practices for protecting your network and endpoints.

blog.sonicwall.com

Hackers are infecting gamers' PCs with malware to make millions from crypto

Cyber criminals are targeting gamers with "mining malware" as they look to get crypto-rich, according to research published by security firm Avast.

www.cnbc.com

 

[ScandinavianFish]

Aslong as youre using an tool like Hard_Configurator to block LOLbins and other inbuilt abusable Windows features the WD exclusions are nothing to worry about., especially if youre using standard user account.

 

[Freud2004]

It's hard to believe that you don't see the extension you are downloading.
But any decent antivirus will delete the infected file.

 

[Local Host]

There no proper scene release for this movie, so will only affect casuals downloading from dubious websites anyway.

Those will surely fall for simple attacks like this, I won't comment on Windows Defender, not news to anyone.

 

[Freki123]

@Freud2004 Windows default install doesn't show "Filename extensions". So you can make an exe file that got an movie icon. The files below are exe's with no "filename extension" shown for more clarity.

 

[Andy Ful]

Those will surely fall for simple attacks like this, I won't comment on Windows Defender, not news to anyone.

But anyway, you could not hold back and this is the first time you might be right.
Such users will be infected (rather sooner than later) when using Defender free on default settings.

 

[Arequire]

If downloading potentially dodgy content is a must, the ReasonLabs analysts recommended that users double-check the file extension to any movie file to make sure it ends with .mp4, rather than .exe.

“We recommend taking extra caution when downloading content of any kind from non-official sources ... a cracked program from a fishy download portal, or a file from a torrent download,” ReasonLabs advised.

I have to say, it baffles me that a cybersecurity company is advising using caution when downloading pirated material instead of advising against piracy in the first place.

 

[Andy Ful]

I have to say, it baffles me that a cybersecurity company is advising using caution when downloading pirated material instead of advising against piracy in the first place.

Probably, advising against piracy is not as efficient as using caution.

 

[Deletedmessiah]

@Freud2004 Windows default install doesn't show "Filename extensions". So you can make an exe file that got an movie icon. The files below are exe's with no "filename extension" shown for more clarity.

View attachment 263089

I wonder why extensions aren't shown by default. I only see it causing security issues. Why does MS do it?

 

[Local Host]

I have to say, it baffles me that a cybersecurity company is advising using caution when downloading pirated material instead of advising against piracy in the first place.

Is not illegal in a good chunk of places.

 

[Andy Ful]

In most countries, one can download pirated videos, music, etc. without sanctions, except if the pirated content is shared with others. Unfortunately, downloading via torrents is also related to sharing the downloaded content. In this case, one can have problems with the law.
There are countries that do not care about copyright law, but in such a case people will not bother about advising against piracy.

 

[ScandinavianFish]

In most countries, one can download pirated videos, music, etc. without sanctions, except if the pirated content is shared with others. Unfortunately, downloading via torrents is also related to sharing the downloaded content. In this case, one can have problems with the law.
There are countries that do not care about copyright law, but in such a case people will not bother about advising against piracy.

Not to mention you can easily be subjected to malicious traffic/network activities, aswell as malicious ads, I saw an microsoft article where they tested 14 pirated office copies, 2 of them didnt work and 9 of them were malware in disguise.

 

[Arequire]

Probably, advising against piracy is not as efficient as using caution.

Probably, but "be cautious when performing this evidently hazardous action" still comes off a crap advice in my opinion.