With movie piracy rocketing as lockdowns are implemented all over the world, Microsoft is warning internet users that they could be downloading malware along with their evening’s entertainment.
The company’s security intelligence team says it’s uncovered a number of fake movie torrents carrying malicious software that attempts to hijack a user’s machine to generate cryptocurrency.
“We saw an active coin miner campaign that inserts a malicious VBScript into ZIP files posing as movie downloads,” the teams says in a tweet.
“The campaign, primarily observed in Spain but has also shown up in some South American countries, aims to launch a coin-mining shellcode directly in memory. We’re seeing the campaign affecting a wide range of customers, from home users to enterprises.”
The malicious VBScript runs a command line that uses BITSAdmin to download more components – including an AutoIT script, which decodes a second-stage DLL. The in-memory DLL then injects a coin-mining code into notepad.exe through process hollowing.
The movies concerned include John Wick: Chapter 3 – Parabellum, along with Spanish-language titles including Punales Por La Espalda, La Hija de un Ladrón and Lo Dejo Cuando Quiera – as well as Contagio, the Spanish-dubbed version of Contagion.
It’s not clear where the campaign originates – but its likely to be coming from old hands.
“The use of torrent downloads is consistent with our observation that attackers are repurposing old techniques to take advantage of the current crisis,” says the team.
The warning follows recent a recent report from piracy-tracking company Muso that pirate sites saw a 40 per cent increase in visits between February and March. In Spain – one of the main targets of the new malware campaign uncovered by Microsoft – the figure was 50 per cent.
Meanwhile, even those attempting to find content legally also need to be on their guard. Security company Mimecast says it’s found no fewer than 500 domains masquerading as major streaming sites including Netflix, Disney+, Amazon Prime Video and YouTube TV.
Some claim to offer free Netflix subscriptions, but instead harvest the user’s credentials, including user names and passwords.
“Unfortunately, people often use the same usernames and/or passwords across different sites — so it is possible that they would use the same credentials for business or personal logins,” points out Thom Bailey, Mimecast’s senior director of product and strategy.