Microsoft warns that malicious actors are taking advantage of this trend trying to infect potential victims with malware delivered via fake movie torrents.
“With lockdown still in place in many parts of the world, attackers are paying attention to the increase in use of pirate streaming services and torrent downloads,” the Microsoft Security Intelligence team said. “We saw an active coin miner campaign that inserts a malicious VBScript into ZIP files posing as movie downloads.”
The attackers behind this campaign are primarily targeting home users to enterprises from Spain and some South American countries with the end goal of launching a coinminer directly into the compromised devices’ memory.
The ZIP files pose as popular Hollywood movies with file names like “contagio-1080p”, “John_Wick_3_Parabellum”, “Punales_por_la_espalda_BluRay_1080p”, as well as Spanish titles like “La_hija_de_un_ladron” and “Lo-dejo-cuando-quiera”.
The VBScript runs a command line that uses BITSAdmin to download more components, including an AutoIT script, which decodes a second-stage DLL. The in-memory DLL then injects a coin-mining code into notepad.exe through process hollowing.
