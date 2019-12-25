After noticing a spike in detections involving what looked like a movie torrent for One Battle After Another, Bitdefender researchers started an investigation and discovered that it was a complex infection chain.

The film, Leonardo DiCaprio's latest, has quickly gained notoriety, making it an attractive lure for cybercriminals seeking to infect as many devices as possible.

People often search for the latest movies on the internet, hoping to find a copy of a new release that has just begun its theater run or is only available via pay-per-view streaming. And since users are looking for entertainment, the possibility of infection from downloading a film might not cross their minds.

However, what seems like a simple download can quickly turn into something far more dangerous. Instead of the expected video file, users unknowingly download a compilation of PowerShell scripts and image archives that build into a memory-resident command-and-control (C2) agent, also known as a trojan (RAT – Remote Access Trojan) under the name of Agent Tesla.

This type of malware is designed with a single purpose: to provide attackers with unfettered access to the victim's Windows computer. Once they have a foothold, criminals can access the computer remotely and steal financial and personal information or use the device to launch additional attacks.

The trend of embedding malware in torrents and fake multimedia files that pretend to offer movies and TV shows is not new, but it has gained a lot of steam in the last year or so.

For example, Mission: Impossible – The Final Reckoning was used to spread the Lumma Stealer, which targets passwords, cookies, crypto wallets, credentials from remote desktop tools, and more.

The Agent Tesla malware in this fake movie release has been used for years in many campaigns, including email phishing and COVID-19 vaccination registration.

This investigation documents every layer of this new attack and shows how the components work together to support its efforts to evade detection.