In a recent bizarre set of incidents, a news report published by BleepingComputer on Saturday, Jan. 12th 2019, reveals a new malicious Windows file that comes integrated into a torrent file, from torrent client “The Pirate Bay (TPB),” circulating the web. The malicious file comes as a shortcut integrated in a torrent file for the movie, The Girl in the Spider’s Web, available at TPB, that can manipulate web pages, i.e. post ads on websites like Google Search, Wikipedia, & Yandex Search and steal cryptocurrencies by replacing Bitcoin (BTC) and Ether (ETH) addresses.
The torrent file, which was titled The Girl in the Spider’s Web, contained a .lnk shortcut, instead of a video file, that executed a PowerShell command. The malicious file, which originally was thought as a lame gimmick by the uploader to post Crypto ads on Google search results, in fact, had much going on. In reality on extrapolating the file’s content it was found that along with posting ads and manipulating search results to show certain content links at the top of the search page, the malicious file was programmed to swap out cryptocurrency wallet addresses for ones owned by the attacker, by using the Windows’ default copy+paste function.
Other attack features, the malware possesses is posting fake banners on Wikipedia, the banners invite users to transfer BTC and ETH to specific addresses.