Be careful when looking for pirated movies online – experts have warners many files are out there just to infect your Windows PCs with dangerous malware and infostealers.
Cybersecurity researchers from Mandiant have recently discovered a new malware dropper, infecting victims with Lumma Stealer, Hijack Loader, and CryptBot.
Lumma, for example, is a known piece of malware that’s been extensively covered by the media. It is capable of grabbing passwords stored in popular browsers, cookies, credit card information, and data related to cryptocurrency wallets. Lumma is offered as a service, for a subscription fee ranging between $250 and $1,000.
Downloading malware
The dropper is dubbed PEAKLIGHT. It appears to be brand new, and works as a memory-only dropper: “This memory-only dropper decrypts and executes a PowerShell-based downloader,” Mandiant said in a technical write-up.
The researchers saw the dropper in .ZIP archives on the internet, pretending to be pirated movies. These archives contained a Windows shortcut file (.LNK) which, when ran, connects to a content delivery network (CDN) hosting an obfuscated, memory-only, JavaScript.
“PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths,” Mandiant added. “If the archives do not exist, the downloader will reach out to a CDN site and download the remotely hosted archive file and save it to disk.”
Pirated content, including movies, music, software, and books, have been used to distribute malware for years. During the Covid lockdowns, as people were stuck inside and looking for ways to kill the time, many turned to pirated content – and hackers took advantage, distributing malicious cryptocurrency-mining malware via fake film torrents.
The movie John Wick: Chapter 3 – Parabellum – which was a blockbuster hit at the time, was one of the movies used to distribute malware.
Via The Hacker News