A recent campaign is spreading malware embedded in pirated copies of popular summer blockbusters like Shang-Chi and the Legend of the Ten Rings. Threat actors have been shipping malware embedded in pirated movies that are easily available on Torrent networks. In such campaigns, corrupted movie files trick users into running a batch program that downloads a compatible CODEC for the video file.
In some cases, the video file stops during playtime and prompts the user to execute the provided batch program to install the missing CODECS. In other cases, the downloaded file includes a README file instructing the user to run the same batch file. The dropper malware masquerades as a .srt file (a legit file type that holds subtitles of the video file, which in this case is a hexadecimal encoded dropper file written in C++ [-1-] ).
In the above screenshot, the subtitle file named ‘75095_VTS.srt’ contains the encoded payload, and the file named ‘Ultra XVid Codec Setup.bat’ contains the loader batch program of the malware.
Technical Analysis
The loader batch program file has two parts:
1. UAC elevation: The code segment below is responsible for running the batch program as administrator, bypassing Windows UAC. The exact code is available on stack overflow. [-2-]
The code segment given below is part of the same batch program, however, it gets executed with admin privilege after the elevation of privilege. It then executes 2 Powershell commands to exclude file types: ‘.exe’ and ‘.srt’ from security monitoring
The ‘ping’ command is used as a sleep mechanism.
2. Malware deployment: The final delivery of payload is via the ‘certutil’ application on Windows. Certutil has been abused by adversaries as a ‘living off the land’ tactic for deploying malware stagers and loaders.
The batch program decodes the hexadecimal encoded payload with the .srt extension to another .srt file, which can be executed after decoding. The command used for decoding is:
certutil -decodehex -f 75095_VTS.srt 75095_VTS_tmp.srt
Finally, the batch program launches the malware by executing the decoded .exe file using the following command: start 75095_VTS_tmp.srt
The final executable payload can be easily detected by over 60 security vendors.
Detailed Analysis
Our analysis has revealed that:
- The final payload shows the characteristics of a very generic RAT (Remote Access Trojan).
- Droppings: Files are dropped to C:\Users\SYM\AppData\Local\Route0\ directory. And among the dropped files are two executable files: route.exe and zroute.exe.
- Persistence: The malware modifies the registry of the victim machine to have persistence on the system by adding the value “11f86284” to the following key:
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Thus, the key-value points to route.exe file in the C:\Users\SYM\AppData\Local\Route0\ directory thereby surviving, and the system restarts.
Screenshot displaying changed value of key Campaign History
A quick Google search of the filenames linked to this campaign reveals a plethora of domains hosting the same malicious files with similar names. Since these domains have high page rankings they appear at the top of Google’s search results. This is not a coincidence, but rather a devious strategy for threat actors to dupe unsuspecting users into accessing infected domains and downloading corrupted files.
Attackers target sites running on common and popular CMSs (Content Management Systems) and then take control of the application to host their infected files. In peer-to-peer networks such as Torrent, it is not uncommon to see pirated movies used as bait to lure users into downloading infected files.
Malicious torrent files are hosted on compromised domains that have high SEO and page ranks. Attackers exploit popular and trending movie titles to link to files that aren’t even valid movie files, such as a corrupted video file that, when played, displays an error box and forces the user to run a malicious script, included with the pirated movie to resolve the missing CODEC issue.
Sources that host malicious files
References
Indicators of Compromise
| C2 | 81.89.133.248
20.50.102.62 |
| IP Addresses | DNS |
|
|
