The Pirate Bay is once again in the middle of a controversy as a Windows shortcut file is infecting PCs to steal digital currencies.
The malicious file is posing a movie file on The Pirate Bay torrent tracker.
Once it is installed, it triggers a series of malicious activities on the infected computer.
Bleeping Computer recently reported the malicious activities of the file in detail on their website.
What Does the File Do?
The file was discovered after the security researcher 0xffff0800 downloaded a movie file from The Pirate Bay and found a .LNK shortcut instead of a video.
The shortcut executed a PowerShell command and had a low detection rate on an antivirus scanning service.
Virus scan results indicated a sample of an advanced threat actor known as CozyBear, which was discovered in 2015 and is still active. However, the detection was a false positive.
FireEye’s Advanced Practices Team’s Nick Carr said that .LNK files are common in pirated content. According to Trend Micro, their use increased sharply in 2017.
The Problems Run Deeper
Lawrence Abrams from Bleeping Computer also analyzed the file and showed that the file would inject malicious results on Google, Yandex and Wikipedia pages.
It would simultaneously monitor web pages for Ethereum, and Bitcoin wallet addresses and replaces them with those of the attacker.
The malware modifies Windows registry keys to disable Windows Defender.
It also installs an extension called ‘Firefox Protection’ in the Firefox Browser and hijacks the ‘Chrome Media Router’ extension on Chrome browser.
The file doesn’t end its campaign here. It also injects a fake donation banner on Wikipedia which states:
“Wikipedia now accepts cryptocurrency donations and provides two cryptocurrency addresses to send ‘donate’ to.”
The site lists two wallets- one for Bitcoin that had $70 worth of BTC, and second for Ethereum which had $600 worth of ETH stored on them.
A full list of the malicious code’s activities can be found on the Bleeping Computer website.