Cybercriminals Exploit Leonardo DiCaprio’s New Film to Spread Agent Tesla Malware Through Torrent Downloads
Bitdefender researchers have uncovered a sophisticated malware campaign exploiting the popularity of Leonardo DiCaprio’s latest film, One Battle After Another. This investigation was prompted by an uptick in detections linked to what appeared to be a torrent for the film, which has emerged as a prime target for cybercriminals looking to infect unwary users’ devices.
In a quest for the latest cinematic releases, many users frequently search the internet for low-cost or free downloads. With entertainment often on users’ minds, the potential risks associated with movie downloads might not be immediately apparent. What seems to be an ordinary file can conceal a complex chain of infection that leads to severe malware intrusions.
Instead of downloading the anticipated movie, users often find themselves unknowingly acquiring a collection of PowerShell scripts and image files. These elements work collaboratively to install a Remote Access Trojan (RAT) known as Agent Tesla directly into the system’s memory. With this trojan, attackers can remotely access a victim’s Windows computer, compromising personal and financial information or facilitating additional cyberattacks.
Embedding malware in torrents or phony multimedia files is not a recent phenomenon; however, its prevalence has surged in the past year. Other notable cases include the Mission: Impossible – The Final Reckoning torrent, which propagated the Lumma Stealer, targeting sensitive credentials, including passwords and crypto wallets.
Agent Tesla malware has a history, being utilized in various campaigns, including phishing attacks and scams tied to the COVID-19 vaccination process. The current investigation meticulously outlines the stages of this new attack, focusing on how its intricate components work in tandem to elude detection.
Notably, the Agent Tesla RAT may not be new, but the methods of its deployment—using PowerShell and other “Living Off the Land” (LOTL) tools—are particularly noteworthy. The infection process initiates when a user downloads what they believe to be the movie. Inside this file greets them a shortcut labeled “CD.lnk,” which promises to launch the film. However, activating this shortcut triggers a hidden command that unleashes a series of malicious scripts concealed in a subtitle file named Part2.subtitles.srt.
The attack commences subtly. Clicking on the shortcut executes a command that reads specific lines from the subtitle file. While the .srt file legitimately contains subtitles, it also harbors batch scripts that kickstart the infection.
These scripts employ various Windows utilities, including CMD, PowerShell, and Task Scheduler, to unpack layers of encrypted data meticulously embedded within the files. Each PowerShell script executed from the subtitle file serves distinct purposes that collectively facilitate the attack:
- The first script extracts content from a file masquerading as a video but actually serves as a disguised archive.
- A second script is responsible for creating a persistent scheduled task that runs under the guise of a legitimate process.
- Additional scripts decode hidden data from what appears to be an innocuous image file.
- They ensure the existence of directories needed for storing payloads and ultimately extract further malicious components.
As this malware sets deeper roots, its ultimate aim is to repurpose the infected Windows PC as a “zombie agent”—ready for the attacker to exploit further in future campaigns or to distribute additional malware.
With thousands of seeds and leeches reported for the fake film, the research suggests the potential for widespread infection. Those utilizing Bitdefender security tools were protected from the onset, highlighting the importance of robust cybersecurity measures.
As malware-laden torrents promising the latest movies gain traction, the frequency and sophistication of these attacks seem poised to escalate. Users must remain vigilant, recognizing that threats can be cleverly disguised within seemingly harmless multimedia files.
