Dangerous Lumma malware hidden in pirated movies and series on torrent sites

marry 15.11.2024, 12:30 PM

Pirated content is often a good place for malware to hide, and this should come as no surprise to people who download it. Those who undertake cracked software often knowingly take risks. However, cybercriminals are increasingly using an older tactic – injecting malware into torrents that promise unaired episodes of shows and movies.

If you were to search for cracked software on Google, there’s a good chance you’d download malware and not what you’re actually looking for. In many cases, cybercriminals have websites that promise a crack for the software you are looking for.

Another common tactic is asking for personal information with the promise of unlocking the file you want to download.

But what about torrent trackers? There is no guarantee that content downloaded from torrents will be malware-free, so people should be careful when downloading software from such sites.

The problem is that users of torrent trackers are unlikely to exercise the same caution when downloading shows and movies, which is exactly what attackers want.

Bitdefender has detected an increase in the number of torrents that promise pirated multimedia content that also contains malware. In most situations, whoever offers an episode of a series that hasn’t aired yet hopes to attract people who are looking for it.

In the cases observed by Bitdefender researchers, the file size appears correct and the usual naming scheme is respected. But when the user finishes downloading, they find that it’s not exactly what they were looking for. What is downloaded is a file with the ZIPX extension, which is just a type of archive, although less commonly used. When the user unzips the archive, they will notice that the file that should be a video has the extension SCR. It is a format originally developed by Microsoft and stands for screensaver. What users should know is that it is essentially an executable file. A user might not click on an EXE file in a folder that is supposed to contain the requested video, but an SCR file is much less suspicious.

Interestingly, the SCR file is only about 800 MB in size, and there is another folder called “vis” that contains the actual video file. In this case, it’s a complete and proper movie in lower resolution. Everything in the archive together will be about 1.3 GB, which is a common size for similar torrents.

The SCR file is a malware called Lumma Stealer that has been around for several years.

Lumma is sold on the Darknet and can be used even by people without much technical knowledge. The goal of the malware is to extract data from compromised devices running Windows 11 and older versions. It focuses on data stored by Internet browsers such as Google Chrome, Firefox, Edge and others, such as usernames, passwords, crypto wallets, credit cards and session cookies.

The same patterns can be observed in this torrent attack. The attacker will try to steal all possible information from the device, hide his presence, and even try to determine if a security solution is installed.

Downloading software from untrusted websites is never a good idea, especially since malware can easily be integrated and distributed through such channels. And if you think you’re safe because you don’t download cracked software, you might be in for a surprise if you’re in the habit of downloading pirated movies, series, and shows.

Lumma embedded in pirated content torrents is just one of many ways criminals use to trick people into installing malware themselves. Even if you pay attention and avoid SCR files after reading this, rest assured that cybercriminals will find other ways.

Photo: Lucas Andrade | Pexels