Katarzyna Petru
Cybercriminals have found a new way to infect computers running Windows. A fake copy of the film One Battle After Another featuring Leonardo DiCaprio, disseminated through torrent networks, contains malware hidden in… a subtitle file. Experts warn that this is just the beginning of a new wave of attacks. The threat was detected by BitDefender, which highlights increasingly sophisticated methods of distributing malware, exploiting users' trust in popular movie titles. Once the malware is installed, attackers gain full remote access to the victim's computer.
“This type of malware is designed with one goal – to provide cybercriminals with unrestricted access to the Windows system. Once they take control, they can steal financial and personal data or use the computer for further attacks” – warns BitDefender.
Malware hidden in subtitles
There’s nothing new about the attack itself – it utilises the well-known malware Agent Tesla. However, the new aspect is the way it is distributed. The malware is spread through torrents containing a fake version of the film One Battle After Another – and according to BitDefender, possibly other popular titles as well. Importantly, many users don’t realise that the film doesn’t actually run at all, because the infection occurs beforehand.
BitDefender estimates that several thousand people have already fallen for this trick. The torrent package contains a shortcut file named CD.lnk, which suggests launching the film. In reality, opening it initiates a chain of scripts that exploit legitimate Windows processes.
The key element of the attack is hidden in the subtitle file – specifically in line 5005. That’s where a PowerShell command is located, which starts the installation of the malware. The rest of the subtitle file looks completely normal, significantly hindering the detection of the threat. BitDefender published a detailed description of the entire mechanism on its blog.
This is only the beginning
This is not the first case of using fake torrents to infect computers.
“Previously, the film Mission: Impossible – The Final Reckoning was used to distribute the Lumma Stealer malware, which steals passwords, cookies, cryptocurrency wallet data, as well as credentials for remote desktop tools” – reminds BitDefender.
Experts have no doubt that the situation will worsen.
“In the last few years, the number of infected torrents promising the latest films and series has dramatically increased. Attackers have clearly discovered an effective attack vector, and Agent Tesla is becoming one of their favourite tools” – summarizes the company.
