Movie enthusiasts eager to watch the latest releases online are being targeted by cybercriminals distributing the potent Agent Tesla malware through fake torrent files. Specifically, threat actors are exploiting the popularity of the new Leonardo DiCaprio film, “One Battle After Another,” to lure unsuspecting users into downloading malicious content disguised as movie files.
These deceptive torrents, upon closer inspection by security researchers, contain a sophisticated chain of hidden PowerShell scripts designed to install a Remote Access Trojan (RAT) on Windows systems. This malware grants attackers extensive control over infected computers, enabling them to pilfer sensitive personal and financial data. The campaign has reportedly reached thousands of individuals, highlighting the widespread risk to consumers searching for entertainment.
The infection begins when a user downloads what appears to be the film and finds a folder containing seemingly legitimate files. However, clicking on a shortcut file labeled “CD.lnk” initiates a complex, clandestine attack. The malware leverages legitimate Windows tools such as Command Prompt (CMD), PowerShell, and Task Scheduler to operate covertly and evade detection by standard security software.
How the Attack Unfolds Through Multiple Stages
Bitdefender security researchers first identified this threat due to a notable surge in detections associated with the fraudulent movie torrent. Their deep dive revealed a meticulously crafted attack methodology employing layered encryption and scripts embedded within files that appear to be harmless subtitle and image files. A critical aspect of this malware is its in-memory execution, meaning it leaves minimal trace on the hard drive, significantly complicating detection by traditional antivirus solutions.
The infiltration process starts when a victim clicks the “CD.lnk” file, mistaking it for the movie playback option. This action triggers a hidden command that reads specific lines from a subtitle file named “Part2.subtitles.srt.” These particular lines harbor batch code responsible for launching PowerShell scripts. The cunning design lies in the fact that the subtitle file contains genuine movie subtitles, with the malicious code concealed within lines 100 to 103, serving as the initial trigger.
Subsequently, the PowerShell commands are used to extract and decrypt encoded data from the very same subtitle file. Employing AES encryption techniques, the malware constructs five distinct PowerShell scripts, storing them in a concealed directory located at “C:Users\AppDataLocalMicrosoftDiagnostics.” Each script is assigned a specific role within the unfolding attack sequence.
The initial script is tasked with extracting the content from a file masquerading as the movie, “One Battle After Another.m2ts.” However, this file is actually a disguised archive. The script intelligently identifies and utilizes whichever common extraction tools, such as WinRAR, 7-Zip, or Bandizip, are present on the victim’s system. Concurrently, another script establishes a scheduled task named “RealtekDiagnostics,” a misleading label for a component designed to ensure the malware’s persistence.
This scheduled task is configured to execute the malware automatically upon each computer startup or user login, maintaining a foothold on the infected system. The task remains hidden, utilizing standard Windows processes to avoid raising suspicion. Meanwhile, other scripts are occupied with decoding hidden data embedded within fake image files, “Photo.jpg” and “Cover.jpg.” These image files actually contain binary information and additional password-protected archives.
The culmination of this multi-stage operation involves the compilation and in-memory execution of the Agent Tesla payload. This Remote Access Trojan then establishes a communication channel with servers controlled by the attackers. The infected computer effectively becomes a compromised asset, ready to be exploited for credential theft, further malicious activities, or the deployment of additional malware. This entire operation underscores the growing sophistication of attackers who utilize multi-stage scripting and fileless execution techniques to circumvent security defenses and achieve persistent access to victim systems.
The continuous evolution of malware delivery methods, particularly those leveraging trending content like popular movies, necessitates ongoing vigilance from cybersecurity researchers and users alike. Staying informed about emerging threats and practicing safe downloading habits are crucial in mitigating the risks posed by such sophisticated cyberattacks.