skip to Main Content

Who use torrents and streaming is at risk of a double hacker attack

Malwarebytes cyber security experts: The cybercrime with a torrent malvertising campaign tries to inoculate malware and then ransomware first

Torrent and streaming users around the world are undergoing hacker attacks through a malvertising campaign. Malwarebytes cyber security researchers discovered it. Cyber attacks occur in two phases. In the first, is inoculated a malware that steals data and information. In the second, a ransomware that encrypts victims’ files and asks them for a ransom to unlock them. The cybercrime gang uses Internet Explorer and Flash Player flaws, which are part of the Fallout exploit kit. Cybercriminals engage potential targets, bait torrent files or the latest movies, programs and events live and free. In fact, they take them to download the two malicious payloads, which then with a precise sequence will infect their machines.

The malware used for hacker attacks is Vidar. It steals information and data from victims, without them being aware of it

In this cyber double malvertising campaign, the malware used is Vidar. This targets a series of victims’ information: from passwords to documents, through screenshots, browser history, credit card data and those stored in software for double factor authentication. Furthermore, the malicious code can affect virtual portfolios that contain Bitcoin and other cryptocurrencies. Moreover, it is very easily camouflaged within the system. So much so that the victims are unaware that they have been compromised. Hence probably the name, in memory of Norse God Víðarr the Silent.

The ransomware, on the other hand, is GandCrab. It is one of the most dangerous malware in circulation and is constantly updated to make the work of cyber security experts difficult

The information stolen from Vidar is sent to the command and control servers (C2) of malicious hackers. The latter, in addition to storing them, also download the second malware: GandCrab ransomware, one of the most active malicious file-encrypting families currently on the Internet. The code, in fact, is regularly updated with new capabilities, which on the one hand make it more and more powerful. On the other hand, they complicate the work of cyber security experts and software to discover, analyze and neutralize it. In the case of double hacker attacks, version 5.04 is used, inoculated into the victim’s system about a minute after the Vidar download. As soon as it is installed, it encrypts all the files and sends the user a message asking for payment of a ransom in Bitcoin or Dash.

The double cyber attack using torrents and streaming could have various purposes. Not only make profits, but also cover the tracks and remain invisible as long as possible

Some cyber security experts believe that the goal of cybercrime is not just to make the most out of the victim. The double attack could have different purposes. In particular the use of GandCrab in phase two of hacker aggression. Here the hypotheses are two. In the first ransomware could serve to cover the work of Vidar, and then guarantee to those who stole the information a time window to use them, before they are locked and become useless. In the second, more catastrophic, malicious actors could even use malware to destroy infected systems in order to cover the tracks.

Back To Top