A malicious Windows shortcut file posing as a movie via The Pirate Bay torrent tracker can trigger a chain of mischievous activities on your computer, like injecting content from the attacker into high-profile web sites such as Wikipedia, Google and Yandex Search or by stealing cryptocurrency.
Malware on TPB is not a new thing, but the method used to infect a victim’s computer and the large amount of varied malicious activities discovered by BleepingComputer are quite interesting.
It started when security researcher 0xffff0800 found a nasty surprise in the files for the movie The Girl in the Spider’s Web (official trailer – it’s a hacker movie) downloaded from TPB. At that time, the movie had 2,375 seeders.
Instead of a video file, he found a .LNK shortcut that executed a PowerShell command. The icon of the file attracted his attention, so he ran it through VirusTotal antivirus scanning service.
The results returned a low detection rate and indicated a sample of CozyBear, a piece of malware used by an advanced threat actor known by the same name and a few others (APT29, CozyDuke, CozyCar, Grizzly Bear). The group was discovered in 2015 and is still active, targeting Windows platforms.
One of the infection methods still used by the group relies on a weaponized .LNK file that runs a PowerShell command and extracts a script from the shortcut file.
The CozyBear detection was a false one, though. Nick Carr, a member of the FireEye’s Advanced Practices Team, said that weaponized .LNK files are common in pirated content.