Threat actors are attempting to capitalize the interest in the release of Spider-Man: No Way Home movie and use it as bait to spread a Monero cryptominer.
ReasonLabs researchers spotted a Russian torrent website spreading the Monero cryptominer masqueraded as the Spider-Man: No Way Home movie. The malware is not present in Virus Total at this time, it is written in .net and its code is not signed.
“In this case, we are facing someone who has placed a Monero miner in a torrent download of what seems to be the new movie Spider-Man: No Way Home.” reads the analysis published by ReasonLabs. “The file identifies itself as “spiderman_net_putidomoi.torrent.exe,” which translates from Russian to “spiderman_no_wayhome.torrent.exe.” The origin of the file is most likely from a Russian torrenting website.”
The malware uses ‘legitimate’ names for the files and processes that it creates to avoid detection.
Upon the first run, the malicious code would kill any process that has the name of its components to make sure only one instance is running at a given moment.
Experts noticed that to avoid detection the Svchost is injected by the main process with the contents of a zipped resource. The resource contains information for the mining activity, the researchers identified a self-compiled version of the XMrig open-source miner containing information such as username, password, algorithm, and mining pool.
The miner does not implement data-stealing capabilities, however, it abuses the computing resources of the infected system to mine cryptocurrency causing a drastic drop in the system’s performance.
The malware gains persistence by using registry CurrentVersion\Run key or a scheduled task named “services” on every logon.
The researchers were not able to determine the number of infected systems, anyway they believe that it is not small due to the popularity of the movie.
“We recommend taking extra caution when downloading content of any kind from non-official sources – whether it’s a document in an email from an unknown sender, a cracked program from a fishy download portal, or a file from a torrent download.” concludes the analysis that also includes Indicators of Compromise and Yara rules.
Experts also recommend checking that the file extension matches the file they are expecting, in this case, the file was a .EXE and not a movie file that should be in “.mp4” format.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Spider-Man: No Way Home)