Fake ‘One Battle After Another’ torrent hides malware in subtitles (www.bleepingcomputer.com)
from cm0002@suppo.fi to cybersecurity@infosec.pub on 15 Dec 00:41
https://suppo.fi/post/9494370

#cybersecurity

threaded - newest

asbestos@lemmy.world on 15 Dec 01:04 next collapse

Very interesting approach

someguy3@lemmy.world on 15 Dec 01:33 next collapse

When the CD shortcut is executed, it launches Windows commands that extract and run a malicious PowerShell script embedded in the subtitle file between lines 100 and 103.

This PowerShell script will then extract numerous AES-encrypted data blocks from the subtitles file again to reconstruct five PowerShell scripts that are dropped to ‘C:\Users<USER>\AppData\Local\Microsoft\Diagnostics.’

The extracted PowerShell scripts act as a malware dropper, performing the following actions on the host:

RunJun@lemmy.dbzer0.com on 15 Dec 02:18 collapse

Very interesting. Since I left windows, this isn’t an issue for me but I will be more aware that this can happen now.

FlexibleToast@lemmy.world on 15 Dec 02:54 next collapse

Kind of makes me want to install Clam AV just to watch for viruses I wouldn’t otherwise know about because I’m using Linux everywhere.

frongt@lemmy.zip on 15 Dec 05:18 collapse

I did that for a while. It didn’t find any. I think because there weren’t any to find.

Decq@lemmy.world on 15 Dec 11:55 collapse

There isn’t really anything new to learn here. It’s still the same old, don’t run an executable to watch a movie. That the code is partly hidden in the srt/jpg is just a minor implementation detail.

altkey@lemmy.dbzer0.com on 15 Dec 04:06 next collapse

She said what now?

<img alt="surprised penguin" src="https://previews.123rf.com/images/lkeskinen/lkeskinen1705/lkeskinen170504210/77708031-cartoon-image-of-surprised-penguin.jpg">

REDACTED@infosec.pub on 15 Dec 09:31 collapse

We get it, you vape use arch

chicken@lemmy.dbzer0.com on 15 Dec 10:31 next collapse

So wait, literally all it took was putting command line commands on their own line in a subtitles file? Am I interpreting this right

ticoombs@reddthat.com on 15 Dec 10:39 collapse

No/yes. in a text file, there are commands to run, and then made a script to run those commands. They then make the script look like a “double click this to get it to work”. Nothing new

chicken@lemmy.dbzer0.com on 15 Dec 10:52 collapse

oh, so it wasn’t a video player having an absurd exploit then

Mongostein@lemmy.ca on 15 Dec 22:35 collapse

Why would you try to open a movie with .m2ts ??