
A new cryptojacking tactic involving Wikipedia and downloaded movie files - wglb
https://cryptomenow.com/a-new-cryptojacking-tactic-that-involves-wikipedia-and-downloaded-movie-files-has-been-discovered/
======
kristianp
This seems to be the original tweet that's the source of the article:

[https://twitter.com/0xffff0800/status/1083585136833179648](https://twitter.com/0xffff0800/status/1083585136833179648)

There are a few screenshots in the tweet and the following ones to show how it
works.

~~~
aboutruby
The post should probably link directly to this, much better than the article.
More concise and with more information.

~~~
ccnafr
Bleeping Computer published the original report on this, which I believe this
site has ripped off: [https://www.bleepingcomputer.com/news/security/fake-
movie-fi...](https://www.bleepingcomputer.com/news/security/fake-movie-file-
infects-pc-to-steal-cryptocurrency-poison-google-results/)

------
LeoPanthera
Was this article written by a markov chain? There's a lot of words there but
it doesn't make much sense at all.

~~~
yqt
Machine translation from Chinese I suppose.

------
tobias__
The topics seem interesting but I'm having a lot of trouble parsing the
contents of the article

> The malware launches a Powershell command, which then inserts malicious code
> into the Firefox browser. The attack is designed to infect movie torrent
> files and is also meant to infect Windows computers in particular. The point
> of the attack is to phish for any Bitcoin or Ethereum addresses that the
> user might have. It’s an advanced virus as it then actually aims to replace
> these victims addresses with the hacker’s wallet.

Not sure where torrent come into this at all, for example

~~~
themodelplumber
So far I've got:

Download a movie --> Magic Happens --> Powershell --> Firefox compromised! -->
We infected your torrents! --> Ah, found your crypto. --> Your address is now
replaced with my wallet!! Ha ha!

~~~
Dylan16807
Based on the tweets, step two is that the "movie" is actually a shortcut file.
The shortcut runs powershell with a short obfuscated command that downloads
the malware payload. Then it does a variety of normal malware stuff.

------
kakarot
> MacAfee Labs – one of the most well-known cybersecurity companies in the
> world

Alright, I'm just gonna stop reading right there. Literally pick any
cybersecurity company to quote other than McAfee.

~~~
MRD85
Are you able to explain what is wrong with MacAfee? I'm not knowledgeable in
this area.

~~~
kakarot
John McAfee left only a few years into the company, and then McAfee AV slowly
morphed into one of the most bloated applications in the business, riddled
with spyware. They were one of the first to begin selling customer data. Like
Norton, AVG, Avast and others are now doing as well.

I'm sure McAfee employs a few smart people but the management is radioactive.
They simply do not have a cutting-edge security culture and people are their
products, not their customers. Like Norton, they employ scare tactics and Dark
UI in order to coerce customers into keeping the software installed. They try
to worm their way into default installations so that they can exploit a
computer for its entire lifetime.

Kapersky recently released a security bulliten on crypto mining and theft,
they may be Russian but they are a crack security team and I would trust them
over any of the other companies I've mentioned.

[https://securelist.com/kaspersky-security-
bulletin-2018-stor...](https://securelist.com/kaspersky-security-
bulletin-2018-story-of-the-year-miners/89096/)

~~~
MRD85
Thank you for the reply. I've only recently started becoming interested in
cyber security, I participated in my first CTF late last year. I'm still very
uninformed about the wider cyber security culture.

------
walrus01
How do you "infect" a .torrent file? Sounds to me it's more like tricking
people into running a .exe

------
upofadown
After reading the other sources, it appears that this exploits the way Windows
executes things without warning the user. You download a video file, you click
on it, and Windows unexpectedly executes some hostile code. What the payload
does after that isn't really all that interesting, it could be made to do
anything.

