Kaspersky Warns of Malware Disguised as Textbooks and Essays

As the new school year begins, Kaspersky Lab experts have reminded users that trying to download pirated essays and textbooks often leads to malware infections. If a user searching for study materials lands on a malicious website, their computer can end up infected with all sorts of threats. Some types of malware are more commonly spread this way than others.

According to Kaspersky, during the last academic year, cybercriminals targeting the education sector attempted to attack Kaspersky product users more than 356,000 times. Of these, 233,000 cases involved malicious essays, while malware disguised as textbooks was responsible for 122,000 attacks.

The most popular targets were English textbooks, which 2,080 people tried to download. Math guides came in second, nearly infecting 1,213 students. Literature rounded out the top three most dangerous subjects, with 870 potential victims.

Common Types of Malware Spread as Study Materials

• Stalk. You don’t even have to visit suspicious websites or look for pirated textbooks to get infected. Such “literature” is also distributed by spammers. For example, the well-known worm Worm.Win32.Stalk.a, previously thought to be obsolete, is still active and ranks first in the number of users attacked by malware disguised as study materials.
  Once on a computer, Stalk spreads to all connected devices, such as other computers on the local network or USB drives with study materials. This is especially dangerous because students often use USB drives to print essays at school or university, potentially spreading the worm to the institution’s network. To infect as many systems as possible, the malware also tries to email itself to all of the victim’s contacts.
  Stalk is dangerous not only because it spreads via local networks and email, but also because it can download other suspicious applications onto the infected device and copy and send files from the computer to its operators.
  Experts believe Stalk’s success is due to the widespread use of outdated operating systems and software in educational institutions, especially in print rooms, which allows the worm to thrive.
• Win32.Agent.ifdx. Malware loaders often hide as DOC, DOCX, or PDF files pretending to be textbooks or essays. Although they appear as documents with the appropriate icon, they are actually programs. When launched, they do open a text file to lull the victim into a false sense of security, but their main goal is to deliver malware to the computer.
  Recently, these loaders have been used to spread cryptocurrency miners. However, the operators’ priorities can change, and the payload could switch to spyware, banking trojans, or ransomware.
• WinLNK.Agent.gen. Malware often hides in archives, as it’s harder to scan compressed files. The WinLNK.Agent.gen loader, for example, is easily picked up when searching for textbooks and essays. Inside the archive is a shortcut to a text file, which not only opens the document but also launches the malware components.
  This can lead to other types of malware infecting the device, most commonly miners that use the infected computer’s resources to generate cryptocurrency for the attackers. It could also be adware that bombards victims with ads, or other malicious software.
• MediaGet. Rounding out the list is the most “harmless surprise” awaiting students on malicious sites: websites offering free textbook downloads often trick users into downloading the MediaGet program installer instead of the document they were looking for. This installer simply downloads and installs an unnecessary torrent client, without causing further harm.