A Monero miner was found in a torrent download of what researchers believe to be the new movie, Spider-Man: No Way Home.
A ReasonLabs blog post reported that the file identifies itself as: spiderman_net_putidomoi.torrent.exe. This translates from the Russian to: spiderman_no_wayhome.torrent.exe.
The researchers theorize that the origin of the file most likely comes from a Russian torrenting website. According to the researchers, the miner adds exclusions to Windows Defender, creates persistence, and spawns a watchdog process to maintain its activity.
Hiding a cryptominer or similar malware in an enticing file, such as the new Spider-Man movie is nothing new, said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows. Nikkel said there are plenty of GenXers and Millennials who remember the days of downloading random files from strangers across Kazaa and Limewire in search of rare or free MP3 or video files and ended up with a Trojan or similar nastiness.
“Unfortunately, the tactic carried into the Torrent world,” Nikkel said. “There have been many cases of people downloading the wrong file, thinking it was a popular movie, TV show, or new remix. While we’re on the subject, this same thing occurs with popular applications, such as those from Adobe, Microsoft, or specialized music programs that are themselves often pirated. Sometimes the key generators themselves were malicious or the applications are executable. There have been plenty of office workers looking to cut corners or use programs they’re familiar with on their work computer. These users run the risk of downloading “free” versions or versions hosted on bad sites and end up getting burned.”
Jake Williams, co-founder and CTO at BreachQuest, added that threat actors have long used torrents as a distribution mechanism for malware, in fact, long before cryptominers emerged as a force. Williams said a “Trojaned” torrent doesn’t benefit the threat actor if nobody downloads it, so threat actors will continue capitalizing on the latest hype.
“I remember seeing a wave of threat actors compromising victims with screen savers celebrating Whitney Houston’s career in the wake of her passing,” Williams said. “Given that cryptominers are the easiest way for threat actors to cash out, it’s not surprising that threat actors will use these as their malware payload of choice.”
Jasmine Henry, field security director at JupiterOne, said it’s been extremely common for more than a decade for threat actors to attach cryptominers and other malware to popular torrent files.
“Security teams should revisit their acceptable use policies and periodically remind employees that illegal peer-to-peer file sharing at home or on work devices carries some pretty nasty security risks,” Henry said.