Be careful when searching for pirated movies online – experts warn that there are many files that exist just to infect your Windows computers with dangerous malware and information stealers.
Mandiant cybersecurity researchers recently discovered a new malware dropper that infects victims with Lumma Stealer, Hijack Loader, and CryptBot.
Lumma, for example, is a well-known malware that has received extensive media coverage. It is capable of stealing passwords stored in popular browsers, cookies, credit card information, and data related to cryptocurrency wallets. Lumma is offered as a service for a subscription fee ranging from $250 to $1,000.
Downloading malware
The program is called PEAKLIGHT. It appears to be new and works as a memory-only downloader: “This memory-only downloader decrypts and executes a PowerShell-based downloader,” Mandiant said in a technical article.
Researchers found the dropper in .ZIP files on the Internet, which pretended to be pirated movies. These files contained a Windows shortcut file (.LNK) that, when executed, connected to a content delivery network (CDN) that hosted obfuscated, memory-only JavaScript code.
“PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that checks for the presence of ZIP files in hardcoded file paths,” Mandiant added. “If the files do not exist, the downloader will contact a CDN site and download the remotely hosted compressed file and save it to disk.”
Pirated content, including movies, music, software, and books, has been used to distribute malware for years. During COVID-19 lockdowns, when people stayed home looking for ways to kill time, many turned to pirated content, and hackers took advantage of this by distributing malicious cryptocurrency-mining malware through fake movie torrents.
The movie John Wick: Chapter 3 – Parabellum, which was a box office hit at the time, was one of the movies used to distribute malware.
Through Hacker News