ThreatList: Game of Thrones, a Top Malware Conduit for Cybercriminals

[silversurfer]

Content source

https://threatpost.com/game-of-thrones-malware-piracy/143318/

As Game of Thrones’ eighth season approaches, fans are getting ready for the ultimate clash of living vs. dead, fire vs. ice, human vs. monster. But they should be careful where they get their Jon Snow fix from; fresh analysis has concluded that the fantasy series is cybercriminals’ favorite target for disguising malware in illegal content downloads.

Game of Thrones accounted for 17 percent of all infected pirated content that researchers with Kaspersky Lab tracked last year, with 20,934 users attacked – even though no new episodes were released in 2018. And it came in as the most-targeted show despite being only the eighth most-popular to illegally stream, according to researchers; it also didn’t make the top 10 for torrent popularity.

“In many regions, popular programs are also consumed via illegal channels, such as torrent-trackers and unauthorized streaming platforms,” according to a Monday report from Kaspersky Lab. “Unlike legitimate resources, torrent trackers and hosted files may prompt a user to download a file that looks like an episode of a TV show, but is in fact malware with a similar name.”

Let’s face it, getting something for nothing has a certain appeal. So while most people should know by now that downloading pirated content is a high-stakes game that can result in a massive cyber-infection for one’s device, the reality is that tapping illegal markets for popular shows (especially those hosted on premium channels) continues to thrive as a practice.



The blockbuster HBO series is starting up again with its eighth and final season on April 14, and fans are a-twitter with anticipation. Not all of those fans have an HBO subscription however, so activity via pirate sites is expected to remain popular.

The danger lies not just with new episodes, either; binge-watching previous seasons before the premiere is a common activity as well. For example, the GoT Season 1 episode “Winter is Coming” is the most-targeted episode of the show, according to Kaspersky Lab’s findings.

The firm is not expecting GoT’s domination on the infected pirated content front to wane in 2019, either; malware is coming, so to speak.

“The first and final episodes, attracting the most viewers, are likely to be at greatest risk of malicious spoofing,” said Anton Ivanov, security researcher at Kaspersky Lab, in the analysis. “Online fraudsters tend to exploit people’s loyalty and impatience, so may promise brand new material for download that is in fact a cyberthreat. Keeping in mind that the final season of Game of Thrones starts this month, we would like to warn users that it is highly likely there will be a spike in the amount of malware disguised as new episodes of this show.”

 

[Andy Ful]

Example of a Trojan disguised as a TV show downloaded to a PC​

" The common scenario is this: the user downloads a torrent file or receives an archive with a shortcut by email. At first glance the package contains a copy of the long-awaited episode.
Yet, apart from the shortcut, the archive will also contain a hidden folder with the ‘system’ attribute on, making it invisible even if Windows Explorer is configured to display hidden files.
By clicking on the shortcut in hope to watch the video, the user will launch the AutoIt script sitting in the hidden folder along with its interpreter and several other .lnk files.
AutoIt is a worm that spreads through removable disks and runs a backdoor, which is then added to autorun (writing paths to the .lnk files from the hidden folder) and used to accomplish the following actions:

1. Display a specified message
2. Execute commands in cmd.exe
3. Download and launch to% Temp% files
4. Shutdown/restart computer
5. Go to a specified URL
6. Auto-click various webpage items
7. Terminate, restart, update itself "

Game of Threats | Securelist

To find out exactly how cybercriminals capitalize on the rise in illegal downloads of TV content, we have researched the landscape of malware threats disguised as new episodes of popular TV shows…

securelist.com

Edit.
Autor of the article used the words "AutoIt is a worm", which can be misguiding for many readers. It should be "AutoIt script is a worm". The AutoIt interpreter is a legal script interpreter, just like Python.

 

[shmu26]

Example of a Trojan disguised as a TV show downloaded to a PC​

" The common scenario is this: the user downloads a torrent file or receives an archive with a shortcut by email. At first glance the package contains a copy of the long-awaited episode.
Yet, apart from the shortcut, the archive will also contain a hidden folder with the ‘system’ attribute on, making it invisible even if Windows Explorer is configured to display hidden files.
By clicking on the shortcut in hope to watch the video, the user will launch the AutoIt script sitting in the hidden folder along with its interpreter and several other .lnk files.
AutoIt is a worm that spreads through removable disks and runs a backdoor, which is then added to autorun (writing paths to the .lnk files from the hidden folder) and used to accomplish the following actions:

1. Display a specified message
2. Execute commands in cmd.exe
3. Download and launch to% Temp% files
4. Shutdown/restart computer
5. Go to a specified URL
6. Auto-click various webpage items
7. Terminate, restart, update itself "

Game of Threats | Securelist

To find out exactly how cybercriminals capitalize on the rise in illegal downloads of TV content, we have researched the landscape of malware threats disguised as new episodes of popular TV shows…

securelist.com

Edit.
Autor of the article used the words "AutoIt is a worm", which can be misguiding for many readers. It should be "AutoIt script is a worm". The AutoIt interpreter is a legal script interpreter, just like Python.

If I am not mistaken, AutoIt is an exe file that does not ship with Windows. So this attack should be easy to block using any default/deny solution.

 

[Andy Ful]

If I am not mistaken, AutoIt is an exe file that does not ship with Windows. So this attack should be easy to block using any default/deny solution.

Yes. It is dangerous for the security setup based on traditional AV and generally for a default-allow setup. The same can be done with Python or another legal and powerful script engine.