A new virus making the rounds is embedding nefarious code in a victim’s computer to extract cryptocurrencies, deceptively altering search results to scam users into parting with their digital assets.

As reported by cybersecurity publication Bleeping Computer, the virus is embedded in movie files originating from torrent tracking service The Pirate Bay (TPB). While torrent files are notorious for their malware vulnerabilities, the new virus uncovers a large amount of user information and injects “donation” ad placements and affiliate links on popular websites to capitalize on credibility while scamming unsuspecting users.

Security research 0xffff0800 discovered a malicious ‘lnk’ file in a torrent movie he earlier downloaded, which drew attention after being flagged by antivirus software. The extension contained faulty code from CozyBear, a malware designed by a cyber threat group of the same name and has been active since 2015. The group primarily targets the Windows platform using weaponized .lnk files that extracts an online script after download and withholds sensitive information for ransom.

Based on the above information, Bleeping Computer researcher Lawrence Abrams investigated the files further and confirmed the .lnk extension injected ads into search pages while actively swapping any cryptocurrency addresses it found on a victim’s computer.

Modus Operandi and Hack

In terms of operation, the virus modifies registry entry keys that first disable Windows Defender protection, if it’s installed. It later installs a Firefox plugin on Chrome and hijacks the ‘media router’ plugin. Finally, the code pulls data from the hacker’s database along with malicious settings and a JavaScript code to alter web pages visited by a victim. Overall, it’s quite a sneaky maneuver.

The malicious activity even alters Wikipedia pages and mimics the foundation’s donation campaign with a billboard, complete with two crypto addresses and an ambitious message of Wikipedia accepting crypto-donations:

When searched on their respective block explorers, the specific Bitcoin and Ethereum addresses contained $70 and $600 worth of cryptocurrency respectively. Additionally, the same addresses are swapped with addresses found on a victim’s computer—and because these are long, alphanumeric character strings, it is unlikely a user finds out the mishap until after trying to make a cryptocurrency transfer.

As a note of precaution, it is essential to check for the authenticity of any torrent files downloaded. Ratings and comments are a good place to start for verification. Experts recommend running a trustworthy antivirus program that can flag malicious programs before they can steal a user’s cryptocurrency.