ReasonLabs cybersecurity researchers warned that the ‘Spider-Man: No Way Home’ illegal download on peer-to-peer sharing sites was infected with torrent malware.
The team explained that the Spider-Man malware was a new version of a known persistent Monero crypto miner, previously disguised as popular applications like Windows updater, Discord app, among others.
According to the researchers, the malware employs various cloaking techniques to avoid detection by various security solutions while running persistently on infected devices.
Although they could not determine how many users had downloaded the torrent, they suggested that the malware was around for quite some time.
Spider-Man crypto miner is absent in most virus databases
ReasonLabs researchers said they discovered the Spider-Man torrent malware after one of their users downloaded an infected file that was flagged as malware.
They attributed the detection to their extensive malware database that allows them to flag various threats and crosscheck them with other databases such as Virus Total.
However, they noted that the Spider-Man torrent malware which was not signed and written in .NET, was absent in the VirusTotal malware database, and did not match any known suspicious files.
“The file identifies itself as “Spiderman_net_putidomoi.torrent.exe,” which translates from Russian to “Spiderman_no_wayhome.torrent.exe.” The origin of the file is most likely from a Russian torrenting website.”
Spider-Man torrent malware adds exclusions to Microsoft Defender, injects into svchost.exe
The researchers noted that the Spider-Man torrent malware attempts to disguise its malicious nature by creating files and processes with legitimate names. The strategy allows the crypto miner to run in the background without raising suspicion.
Additionally, the torrent malware purports to originate from Google, creates sihost64.exe and WR64.sys files, decompresses a zipped file at runtime, injects its content into the svchost.exe process, and adds exclusions to Microsoft Defender. The crypto miner also creates a “watchdog process” to kill any service with its components to ensure that only a single instance was running.
The torrent malware also obfuscates function names and strings using the base64 encoding. However, the researchers determined that the crypto miner was a SilentXMRMiner variant.
Although the crypto miner does not compromise users’ information, it drains the computer’s power and CPU, drastically slowing down the device and raising the electricity bill.
Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows said that hiding crypto miners in the Spider-Man movie file or other popular media assets was an old tactic that had been ported to peer-to-peer file sharing sites.
“There are likely lots of Gen Xers and Millennials who remember the days of downloading random files from strangers across Kazaa and Limewire in search of rare or free MP3 or video files and ended up with a Trojan or similar nastiness.”
Jasmine Henry, Field Security Director at JupiterOne, advised organizations to educate their employees on file download policy.
“Security teams should revisit their acceptable use policies and periodically remind employees that illegal peer-to-peer file sharing at home or on work devices carries some pretty nasty security risks.”
ReasonLabs researchers advise users to check file extensions while downloading content online to make sure it matches the content type. For example, users should make sure that a movie file ends in a “.mp4” extension instead of “.exe”.
Windows users can enable real file extensions by opening a folder, clicking on “View” and checking the “File name extensions” box. Otherwise, threat actors could include fake file extensions as part of the file name to trick users.
Additionally, they should gather information about the file and think twice before double-clicking it.
“We recommend taking extra caution when downloading content of any kind from non-official sources – whether it’s a document in an email from an unknown sender, a cracked program from a fishy download portal, or a file from a torrent download,” the researchers wrote.
ReasonLabs also noted that threat actors were increasingly deploying crypto miners disguised as popular apps or files and fooling many users to download them to gain more victims.
Jake Williams, Co-Founder, and CTO at BreachQuest, noted that crypto miners were an easy way for criminals to cash out, making them many criminals’ payload of choice.
“Threat actors have long used torrents as a distribution mechanism for malware, in fact long before crypto miners were a thing,” Williams said. “A trojanized torrent doesn’t benefit the threat actor if nobody downloads it, so we should expect to continue to see threat actors capitalizing on the latest hype.”
Tim Wade, Technical Director, CTO Team at Vectra, suggested that crypto miners were more attractive to the less experienced criminals.
“The distribution of malicious payloads as an extra little bonus riding along illegitimate media sharing services is a time-honored tradition dating back for as long as I can remember. That today’s soup du jour includes crypto miners is just a reflection of the current monetization preferences of the ne’er-do-wells of the present.”