When the CD shortcut is executed, it launches Windows commands that extract and run a malicious PowerShell script embedded in the subtitle file between lines 100 and 103.
This PowerShell script will then extract numerous AES-encrypted data blocks from the subtitles file again to reconstruct five PowerShell scripts that are dropped to ‘C:\Users<USER>\AppData\Local\Microsoft\Diagnostics.’
The extracted PowerShell scripts act as a malware dropper, performing the following actions on the host:
There isn’t really anything new to learn here. It’s still the same old, don’t run an executable to watch a movie. That the code is partly hidden in the srt/jpg is just a minor implementation detail.
…
Very interesting. Since I left windows, this isn’t an issue for me but I will be more aware that this can happen now.
There isn’t really anything new to learn here. It’s still the same old, don’t run an executable to watch a movie. That the code is partly hidden in the srt/jpg is just a minor implementation detail.
Kind of makes me want to install Clam AV just to watch for viruses I wouldn’t otherwise know about because I’m using Linux everywhere.
I did that for a while. It didn’t find any. I think because there weren’t any to find.