Home / Industry

Illegally Streaming “Spider-Man: No Way Home” Could Be Hazardous to Your Computer

Given the dangers that COVID-19 poses to people’s health and the emergence of new variants every so often, it’s easy to see why avid moviegoers would resort to streaming instead. But while they may indeed be avoiding the disease, their attempts to download pirated movies is not only illegal—it could put their computers at risk.

Spider-Man: No Way Home, which broke box office records despite the ensuing pandemic, could do just that. ReasonLabs researchers recently warned users that the Spider-Man: No Way Home torrent files may very well be malware carriers in disguise. Instead of getting a chance to watch the movie before its DVD or Blu-Ray versions come out or it’s made available on legitimate streaming services, users could line attackers’ pockets with cryptocurrency their XMR Miner-infected computers helped mine.

We took a closer look at the threat and discovered:

  • 15 IP addresses and three domains known to distribute XMR Miner
  • 614 domains that resolved to the identified IP addresses obtained via reverse IP lookups
  • 3 IP addresses that hosted the three domains identified as IoCs obtained via DNS lookups
  • 86 domains and 246 subdomains containing the strings “spider+man+download,” “spider+man+torrent,” “spider+man+online,” “spider+man+streaming,” and “spider+man+watch” obtained via Domains & Subdomains Discovery

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

Publicly Available XMR Miner Indicators of Compromise

Unfortunately, reports and news articles didn’t provide collated lists of indicators of compromise (IoCs) related to the threat. A quick examination of VirusTotal XMR Miner reports, however, allowed us to identify 15 IP addresses and three domains identified as malware hosts. Examples are 13[.]107[.]4[.]52, arc[.]msn[.]com, and 8[.]250[.]210[.]126.

Expanding the List of Indicators of Compromise

To enable users to get utmost protection from the threat, we dug deeper into the IoCs we initially obtained.

Reverse IP lookups for the 15 IP addresses gave us a list of 614 possibly connected domains as these shared hosts with the identified IoCs. Examples include:

  • 3[.]tlu[.]dl[.]delivery[.]mp[.]microsoft[.]com[.]c[.]footprint[.]net
  • abcvod[.]movenetworks[.]com[.]c[.]footprint[.]net
  • cdn-level3[.]streaming[.]ukfast[.]co[.]uk[.]c[.]footprint[.]net
  • disney[.]com[.]c[.]footprint[.]net
  • ea[.]na[.]lvlt[.]cdn[.]ea[.]com[.]c[.]footprint[.]net
  • fg[.]b1[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net
  • gs2[.]ww[.]prod[.]dl[.]playstation[.]net[.]c[.]footprint[.]net
  • ii[.]wbshop[.]com[.]c[.]footprint[.]net
  • level3[.]pdl[.]warnerbros[.]com[.]c[.]footprint[.]net
  • media[.]dcentertainment[.]com[.]c[.]footprint[.]net

Note the appearance of popular brand names in the domains, such as “microsoft,” “disney,” “playstation,” “warnerbros,” and “dcentertainment.”

Careful scrutiny of the dates the domains were first seen revealed that none of them were registered close to the 17 December 2021 Spider-Man: No Way Home U.S. release date, sites hosted on domains like iwanttfc[.]com, bittorrent-sw[.]vo[.]llnwd[.]net, blinkbox[.]vo[.]llnwd[.]net, delvenetworks[.]com, and hbo[.]vo[.]llnwd[.]net may trick users into thinking they can download the movie from the pages. Most of these websites were either blank or resolved to error pages based on screenshot lookups. Two domains, in particular, led to what looks to be the same streaming service page.

Screenshot Lookup result for delvenetworks[.]com (left) and Screenshot Lookup result for limelightvideoplatform[.]com (right)

DNS lookups, as mentioned earlier, led to three connected IP addresses. While none of them were malicious at the time of writing, their ties to the domains identified as IoCs on VirusTotal should make users wary of accessing them.

Streaming and Download Sites Users Should Steer Clear Of

Apart from breaking current box office records, Spider-Man: No Way Home reviews are bound to make more people want to watch the movie as soon as possible. We scoured the Web for domains and subdomains that contained Spider-Man-related strings.

Domains & Subdomains Discovery provided a list of 86 domains and 246 subdomains containing the strings “spider+man+download,” “spider+man+torrent,” “spider+man+online,” “spider+man+streaming,” and “spider+man+watch.” While none of them are dubbed “dangerous” by malware databases to date, any of them could be abused to infect the computers of unsuspecting users who wished to watch the latest Marvel Universe offering. Examples of the domains and subdomains are shown in the table below.

Sample DomainsSample Subdomains
spidermandownloads[.]com
marvelsspiderman[.]download
spiderman[.]online
spider-man[.]online
spidermannowayhome[.]online
hi-res-spiderman[.]downloads[.]filetransit[.]com
download-spider-man-3-free[.]weebly[.]com
spidermannowayhomedownloadforfree[.]blogspot[.]com
spider-man-online[.]webnode[.]com
spider-man-2021-online-hd[.]tumblr[.]com

Based on our analysis, it’s clear that attackers could use several avenues (domains, subdomains, and IP addresses) for malicious campaigns trailing their sites on people desperate to watch Spider-Man: No Way Home. Users would do well to avoid accessing the web properties mentioned in this post.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix