Downloading movies from The Pirate Bay could potentially expose users to cryptocurrency theft and phishing on an unprecedented scale.

Security researcher 0xffff0800 was the first to raise the alarm on January 11 when he detailed his experience of downloading ‘The Girl In The Spider’s Web’ from TPB only to be confronted with a .LNK shortcut containing CozyBear malware as well as a series of powershell commands.

So once I downloaded and thought it looked weird due to the icon of the download AVI.. I through it in a Hex Editor, and oh.. There is some kind of powershell.. WTF? Put it through Virustotal.. and what do you know! CozyBear putting droppers in Hacker Movies Now?! pic.twitter.com/o0yU7HWCtX — 0xffff0800 (@0xffff0800) January 11, 2019

The malware is programmed to carry out a range of hostile activities on a user’s computer including disabling Windows Defender and installing viral extensions in Firefox and Chrome browsers. In so doing, it is able to edit the appearance of web pages on a user’s computer and carry out complicated phishing attacks. Unlike spoofing which uses fake websites designed to closely resemble trusted ones, this method of attack is particularly insidious because it overlays code over trusted websites and thus cannot be detected by close examination of the URL, as is typically the case with spoof attacks.

Cryptocurrency Theft and Web Search Manipulation

While the CozyBear malware is still sometimes used to attack Windows systems, it is actually a decoy in this case. The .LNK shortcut launches a series of Powershell commands which ends with a payload being downloaded into the user’s system. From then on, it gets to work disabling antivirus programs and installing malicious code in Firefox and Chrome.

When the users open either of these browsers, the newly installed viral extensions inject different web pages with modified versions of JavaScript code, which allows it run and edit web pages and deploy advertisements among other things.

The malware monitors web searches and goes as far as modifying web results. Ads which favor the hacker show up far higher on search rankings than they could ever otherwise hope to, and unpopular products often rank ahead of established products. An example of this is seen below.

Most alarmingly, its ability to edit the appearance of web pages and change information without the user’s awareness enables it to steal cryptocurrency. For example, if a user opens the Wikipedia homepage on a compromised system, they will likely see a convincing message created by the malware saying “Wikipedia now accepts donations in form of bitcoin” and a ‘DONATE’ sign. Any funds donated then go to the hacker

The malware also has the ability to replace crypto wallet addresses provided by on web pages that do accept bitcoin payments with that of the attacker so that all payments made from infected systems go to the hacker’s wallet.

The growth of this threat underlines the risks inherent in obtaining media files through torrent downloads. While torrent users are already familiar with several existing security threats, the added risk of compromising their cryptocurrency security presents them with a decision whether the desired entertainment is worth the risk.

Featured image from Shutterstock.