Hackers Distributing Malware Using Infected ‘Game of Thrones’ Downloads

Posted by Geraldine Hunt on Mon, Apr 15th, 2019

Embedding malware into movie downloads is nothing new for attackers. When a popular movie or TV show is about to be released, attackers know that potentially millions of people could be looking for a way to watch the content for free. April 14th is the release date for the latest (and final) season of HBO’s wildly popular 'Game of Thrones'. In the last few months, an increase in attacks using embedded malware in fake 'Game of Thrones' downloads has been observed by security experts that note a majority of downloads include trojans and adware.

Game of Thrones Leads the List in Infected Movie Downloads

Although 'Game of Thrones' is the newest and biggest target currently, other movies have also been a source for malware attacks. The Walking Dead, Arrow, Suits and Vikings were next on the Kaspersky’s list of most targeted downloadable shows and movies. Kaspersky notes that 33% of infected files contained trojans. Trojans are small programs that run in the background on a machine. The malware is installed at the same time the user opens the file. In the case of a malicious movie file, it could be in a zip file with an executable or the movie file itself could be a malicious executable.

Trojan creators code these programs to go undetected, but users can’t rely solely on antivirus programs to protect from trojans. Zero-day trojans haven’t been detected yet, and it can mean that a trojan could be collecting your private data and sending it to an attacker. Some trojans give an attacker remote control over your desktop, allowing a third-party to edit programs, download additional malware, or use the computer for malicious purposes such as part of a botnet in a DDoS attack.

Kaspersky also noted that another large majority of infect files contained adware. Adware is a less destructive but more annoying form of malware. This malware changes the home page on your browser, changes your default search engine to one that contains ads, and runs in the background to display random popups. It can take some time to manually remove adware from your computer, and just changing your browser settings back to the original will not work. An Internet filter that does not inspect the content of a supposedly “secure” website is failing to protect your organization from online risks and malware such as adware, spyware and ransomware. 

Torrents and Movie Downloads are Dangerous for Computer Health

Search any movie with the phrase “watch for free” and you’re bound to see several links where site owners claim that you can download content and watch for free. These sites are very likely to host malware behind links posed as free content.

Although the idea of watching the next motion picture in the comfort of your home sounds wonderful, the fact is that most sites offering free movies and shows cannot be trusted. Torrents are popular for downloadable content, but the latest 'Game of Thrones' threat is mainly distributed via email. Ultimately, it is in the best interests of your business to evaluate what mechanisms you already have in place to detect spam, malware distributed via email. 

Instead of relying on free content, users should only view content from the legitimate producer. These sites usually offer streaming instead of downloads, so there is no need to download any content to view your favorite shows. Be suspicious of sites that claim to be the official producer but only offer downloadable content. Many of these “evil twin” domains are made to look like the official site, but they are domains made for phishing and malware.

Using the official site usually requires a paid subscription, but you can take other precautions including:

• Notice the file extension of a download and ensure it is a movie file extension such as MPEG, MP4 or MKV
• Never download or run a file with an EXE extension
• Verify that the site accessed to stream content is the official site, including a legitimate SSL/TLS certificate
• Don’t download any programs on a site that claims additional software is needed to view a movie

When you download any content from the web, you should always have antivirus applications running on your desktop. Some downloadable content is on apps installed on mobile devices. The mobile device market is much more susceptible to malware since most people do not have any anti-malware running on them. Avoid downloading any content on a device – both desktop and mobile device – if no anti-malware is installed.

Illegal downloads are a popular market, but they are also a prime target for attackers. If you insist on downloading from torrent sites, ensure that you have protection on your computers. Enterprise workstations should be blocked from downloading any torrents at the firewall. Should any download have an EXE file extension, delete it immediately. 

Trojans Make Up 33% of Infected Downloads

Game of Thrones creators have been extremely secretive of the next season, so the pre-release of episodes would be a newsworthy event. It’s unlikely any files distributed on torrent sites and rogue content servers are legitimate movie files. You only need to execute the wrong file once, and a trojan is dropped on your computer. Trojans run silently on your computer, so you could execute the file, see that it’s not the movie that you thought it was, and then close it thinking the rest is history. Instead, you now have malicious programs running in the background of your computer. Malicious activity could be anything the attacker wants from your computer resources, but here are a few ways trojans can affect you:

• Log keystrokes and send them to an attacker, ultimately giving the attacker your username and passwords to your accounts
• Download additional malware that gives an attacker remote control of your computer
• Add your computer to a botnet network used by an attacker for DDoS attacks
• Launch automated queries or commands from your computer and home network

Adware Makes Up 28% of Infected Downloads

Trojans were the only malware found behind what looks like an innocuous Game of Thrones movie file. Adware was found in 28% of infected files. Adware is less harmful to your privacy and data, but it’s a very annoying side of malware. Adware plants itself on your computer and changes your default search engine, browser home page, and displays adds and popups without clicking any links. While this is not necessarily dangerous for privacy, it can be extremely annoying as most popups continue to display, but here are some signs that you’ve installed adware on your computer:

• Default search engine is changed and each time to change it back, it reverts to the ad-embedded search engine
• Default home page is changed to an ad-heavy, unknown domain and you’re unable to change it back to your chosen domain
• Random popups on your computer even though you’ve clicked no links
• Links shown from a search lead to sites that ask you to download software

Protecting your network, users and customers from cybercriminals

According to Meta Compliance, attackers are using email to distribute this form of malware, but embedding malware into downloaded torrent files is nothing new.  Using torrent to download movies and shows has widely been popular even with its shady, illegal activity. Do a search for any movie that you want to download, and you’ll see numerous search engine results from attackers that claim to have free downloads. The truth is a majority of these links lead to malicious sites that trick you into downloading malware or install malicious programs on your computer.

When downloading any application that promises to play video, only download from an official provider. Most providers stream content from their sites, so typically downloading any executable to your desktop is not necessary. Providers offer the ability to stream based on your cable company account or if you pay for a monthly subscription to the pay station, such as HBO in the case of Game of Thrones.

Avoid downloading programs that promise you can watch a stream once it’s installed. This is commonly used when viewers access a page with video and attackers display a message that Adobe Flash must be upgraded. Unless you download from the official Adobe site, these downloads contain malware including ransomware.

As mentioned earlier the latest Game of Thrones threat is mainly distributed via email. SpamTitan is TitanHQ´s solution for detecting business email spam - a solution that uses an extensive set of mechanisms to achieve 99.97% spam detection. The high level of spam detection is complemented by dual anti-virus software that includes malicious URL blocking and phishing protection. SpamTitan has a choice of deployment options that make it an ideal solution for businesses of all sizes. Both options are universally compatible with all operating systems and infinitely scalable. Both options are also easy to configure and manage remotely via a browser-based portal.

WebTitan employs a crowd-sourced approach for obtaining a constant stream of URLs for analysis. This continuous stream of ActiveWeb (URLs actively visited by end users) comes from a global network of customers across a number of high traffic markets: Network Security, Subscriber Analytics, and Ad Tech. This includes over 550 million end users and growing-and is the primary in-house source for threat corpora used to train human-supervised Machine Learning systems. This combined and integrative approach empowers us to continuously enhance, optimize, and fine-tune our malicious detection capabilities in an ever-changing threat landscape.