A new crypto-malware is capitalizing on the success of the latest episode of the Spider-Man franchise, “Spider-Man: No Way Home.” The film recently debuted internationally and shattered all revenue expectations in its first weekend, grossing more than $250 million worldwide.
According to a report by ReasonLabs, a cybersecurity company, unscrupulous actors exploited the excitement generated by the latest Marvel film. The “Spier-Miner” virus was designed to “lure victims” to a Torrent file containing a purported copy of “No Way Home.”
A torrent is a file shared by numerous users worldwide and is typically downloaded from platforms such as ThePirateBay. Because of its decentralized structure, this sort of digital document can avoid censorship and national security organizations to the profit or detriment of its users.
Reason Security recognized the file as “spider-man net putidmoi.torrent.exe,” which translates to “spider-man no wayhome.torrent.exe” in Russian. If a victim of this crypto-malware downloads the file, they will experience the following symptoms:
To keep its activity going, this miner adds exclusions to Windows Defender, creates persistence, and runs a monitoring process.
According to the report, the crypto-malware was created to avoid detection. As a result, its processes are “named legitimately.” Reason Security stated that the malicious program may “start a process and inject its contained resources into another process.”
The destination is a folder in the Windows directory. The malware decompresses data at runtime into the svchost.exe function in order to infect and steal computer resources. Furthermore, the malicious software can wreak havoc on Microsoft Defender, the most widely used anti-virus for Windows machines.
The software launches two powershell encoded instructions that add the following additional exclusions to Microsoft Defender: disregard all user profile folders, the system disk (i.e. “c:”), and all files with “.exe” or “.dll” extensions.
It successfully installed the crypto-malware, which uses the computer’s processing power to mine Monero, a privacy coin with completely untraceable transactions. The mining operation is kept running by a file called “oocetcmsrfsmni.”
The study claims that after analyzing the svchost, it was able to identify the resource responsible for the mining. The crypto-malware introduced the “xmrig” mining program, which mines Monero, into this folder, as shown in the image below.
The malicious software can avoid detection by programs such as task management, Perfmon, Process Hacker, and Process Explorer. Finally, Reason advised users to:
Although this malware does not breach personal information (which is what most users are concerned about when considering a virus on their computer), the damage caused by a miner can be noticed in the user’s electricity bill. This is real money that they must pay (…)
As of press time, XMR was trading at $205, down 1.4 percent in the previous 24 hours.
