A new threat to Windows computers. The virus. made by the CozyBear collective, is disguised as a movie downloadable from Torrent and causes a lot of damage
The imagination of hackers seems truly infinite and, historically, one of the methods used by web criminals to infect our computers is also to hide viruses in Torrent files of pirated movies, uploaded to the well-known platform The Pirate Bay (TPB).
An example of this practice, recently discovered and then blocked before it could cause much damage, demonstrates the dangerousness of these viruses: in a Torrent file to download the movie "Millennium - The one that doesn't kill" a malicious code has been found that modifies the result pages of Google and Yandex search engines and tries to implement a scam by infecting Wikipedia pages. The goal is always the same: to make money from the users' backs, using sophisticated and high-level tactics.
This virus and its scam were engineered by CozyBear, a group of Russian hackers known under several names (APT29, CozyDuke, CozyCar, Grizzly Bear). CozyBear has been active since 2008, but became famous in August 2015, when it managed to breach the Pentagon email servers and gain access to more than 2,500 email accounts of civilian and military personnel of the US Department of Defense.
How the Torrent virus works
The way the virus works, in a nutshell, is this: inside the video file of the pirated movie, an .LNK file has been inserted. This extension is used for Windows shortcuts, i.e. shortcuts to original files, perhaps to be placed on the desktop to quickly access files or folders located in various parts of the hard disk. But when the user clicked on the hacked shortcut, the infection started: a PowerShell command was executed, which in turn executed a script of malicious code. From then on, Google and Yandex searches were infected.
Hacked search engine results
To do this, the malware modified some Windows registry keys to disable Windows Defender protection. It would also install an extension called "Firefox Protection" in Firefox and modify the Chrome extension called "Chrome Media Router". This way he disabled the protections of the operating system and the two most used browsers. From that moment on, every time the user opened the browser to browse the Internet, the malware would connect to a database and execute various settings and JavaScript code on various web pages.
For example, if the user searched for "spyware" on Google, probably looking for the best antivirus to protect himself from spyware, instead of the antivirus software sites that would normally appear at the top of the Google search page the first two (hacked) results pointed to websites recommending an antivirus called TotalAV. The same happened with the results of Yandex, a search engine widely used in Russia.
Fake Wikipedia donations
But there is more: besides infecting search engine pages, this virus contained in the hacked movie also infected Wikipedia pages by showing a banner at the beginning claiming that Wikipedia now accepts donations in cryptocurrencies (which is absolutely false). The banner also provided two cryptocurrency wallet addresses to send donations to: one for Bitcoin, the other for Ethereum. Wallets that belonged to the hackers, of course. A third Bitcoin wallet address was found in the scripts downloaded by the malware, but it does not seem to be included in the Wikipedia donation scam.
All three wallets are part of another malicious activity, intended to replace the Bitcoin and Ethereum addresses on the web pages. This tactic does not show any signs that would alert the user to the trick because the wallets are a long string of random characters, and most users cannot tell the difference between the real wallet and a hacked one. Thus, whenever the user opened a page containing strings of legitimate cryptocurrency wallets, the virus would replace these strings with those of the hackers' wallets diverting payments and donations to the cyber criminals' account.