Torrents with Pirated TV Shows Used to Push Lumma Stealer Malware

Pirated content is a plentiful resource for malware, and that should come as no surprise to people who are already accessing it. It’s easy to imagine that the main threat might be represented by cracked software and other installers. However, that’s not always the case. Attackers have been increasingly using an older tactic -- slipping malware with torrents that promise unaired TV shows and movies.

Malware is everywhere

If you were to perform a Google search for cracked software, there’s a very good chance you would download malware and not what you’re actually looking for. In many cases, attackers create websites that promise exactly the crack for the software you’re looking for, down to the correct version number. 

Another common tactic is to ask for personal information with the promise of unlocking the download file. All of these are to be expected on regular websites that promote cracked content and, implicitly, malware. 

But what about torrent trackers? There’s no guarantee the cracked content downloaded from a torrent will be free of malware. At least, people might be on guard when downloading software from such places. 

The problem is that torrent tracker users are not likely to show the same caution when downloading TV shows and movies, and this is precisely what attackers want.

Pirated video content can be dangerous

Bitdefender has observed an increase in the number of torrents promising pirated multimedia content that also contains malware. In most situations, the uploader offers an episode of an anticipated TV show that hasn’t aired yet, hoping to attract people actively looking for it.

The download size looks right, and the usual naming scheme is respected, making the torrent more appealing. If the user goes through with the download, he will find that it’s not quite what he asked for.

The final download is a file with the ZIPX extension, which is just a type of archive, albeit a less-used one. When the user unpacks the archive, the structure will look rather strange.

You will notice that the file that should be the TV show has an SCR extension. It’s a format initially developed by Microsoft and short for screensaver. What users need to know is that it’s basically an executable. A user might be remiss to double-click on an EXE file inside a folder that should contain a TV show, but an SCR file is a lot less suspicious. 

Interestingly, the SCR file is only around 800 MB in size (not its real size), and there’s another folder named ‘vis’ that contains an actual video file. In this case, it is a complete and real movie at a lower resolution. Everything in the archive put together will add up to around 1.3GB, which is the regular size of similar torrents.

If the user had Bitdefender installed, he wouldn’t be able to unzip the file because the security solution would identify the threat and move it to quarantine.

What’s really happening?

The SCR file is a malware named Lumma Stealer that’s been around for a couple of years, although it was observed in other attacks. For example, security researchers found that cybercriminals were trying to push Lumma through an operation that used fake CAPTCHA prompts, and cybercriminals have occasionally sent email attachments containing this malware.

Lumma is a malware-as-a-service product, which means it’s sold on the Darknet and can be deployed even by people who don’t necessarily have extensive technical expertise.

The goal of the malware is to extract data from compromised devices running Windows 11 and earlier versions. It focuses on data stored by Internet browsers such as Google Chrome, Firefox, Edge, and other Chromium-based browsers.

Criminals will go after usernames, passwords, crypto wallets, stored credit cards, and session cookies.

The same patterns can be observed with the Lumma malware used in this attack via torrents. The attacker will attempt to steal all information possible from the device, hide their presence, and even try to determine if a security solution is installed.

Conclusion

Downloading software from sketchy websites is never a good idea, especially since malware can easily be integrated and deployed via such channels. And if you think you’re safe because you don’t download cracked software, you might be in for a surprise if you download pirated media. 

Lumma stealer embedded in torrents featuring pirated content is just one of the many ways criminals use to to trick people into voluntarily installing malware. Even if you pay attention and avoid SCR files from now on, attackers will find other ways. 

The best course of action would be to NOT download torrents from dangerous places, but if you do, at least have a security solution in place that can keep you safe, no matter how dark the Internet place you’re visiting is. Bitdefender Ultimate Security features all the tools and protection you need to have a worry-free digital life.