Illegal copies of 'Spider-Man: No Way Home' infected with cryptocurrency mining malware

SECURITY

People trying to download an illegal copy of “Spider-Man: No Way Home” are in for an unpleasant surprise, as copies on “torrent” sites that point to illicit copies of movies were found to include a persistent cryptocurrency miner as an unwanted bonus.

Detailed today by researchers at Reason Cybersecurity Ltd., the illicit copies of the latest Spider-Man installment include a new version of a previously known form of malware. The malware, dubbed “Spiderman,” is described as a variant of malware that had previously been disguised as popular apps such as “Windows updater” and “Discord app.”

The malware crypto miner is capable of adding exclusions to Windows Defender. It also adds a “watchdog process” for persistence. The researchers note that at first run, the malware would kill any process that has the name of its components to make sure only one instance is running at a given moment. The crypto mining malware then executes two new processes, called Sihost64.exe and WR64.exe.

“It’s been extremely common for threat actors to attach cryptominers and other malware to popular torrent files for over a decade,” Jasmine Henry, field security director at cyber asset management and governance solutions provider JupiterOne Inc., told SiliconANGLE. “Security teams should revisit their acceptable use policies and periodically remind employees that illegal peer-to-peer file sharing at home or on work devices carries some pretty nasty security risks.”

Casey Ellis, founder and chief technology officer at crowdsourced security platform company Bugcrowd Inc., noted that “someone wanting to implant malware, using a delivery system where users are less likely to reach out for ‘technical support’ if something seems off or even admit to peers or family that their computer might be acting strange, gives an increased chance of my malware executing in the first and, once it does, a lower risk of it being discovered and removed.”

Sean Nikkel, senior cyberthreat intelligence analyst at digital risk protection company Digital Shadows Ltd., explained that hiding a crypto miner or similar malware in an enticing file, such as the new Spider-Man movie or other hot media properties, is nothing new.

“There are likely lots of genXers and millennials who remember the days of downloading random files from strangers across Kazaa and Limewire in search of rare or free MP3 or video files and ended up with a Trojan or similar nastiness,” Nikkel said. “Unfortunately, the tactic carried into the Torrent world. There have been many cases of people downloading the wrong file, thinking it was a popular movie, TV show or new remix.”

Image: Sony/Marvel