Given the dangers that COVID-19 poses to people’s health and the emergence of new variants every so often, it’s easy to see why avid moviegoers would resort to streaming instead. But while they may indeed be avoiding the disease, their attempts to download pirated movies is not only illegal—it could put their computers at risk.

Spider-Man: No Way Home, which broke box office records despite the ensuing pandemic, could do just that. ReasonLabs researchers recently warned users that the Spider-Man: No Way Home torrent files may very well be malware carriers in disguise. Instead of getting a chance to watch the movie before its DVD or Blu-Ray versions come out or it’s made available on legitimate streaming services, users could line attackers’ pockets with cryptocurrency their XMR Miner-infected computers helped mine.

We took a closer look at the threat and discovered:

• 15 IP addresses and three domains known to distribute XMR Miner
• 614 domains that resolved to the identified IP addresses obtained via reverse IP lookups
• 3 IP addresses that hosted the three domains identified as IoCs obtained via DNS lookups
• 86 domains and 246 subdomains containing the strings “spider+man+download,” “spider+man+torrent,” “spider+man+online,” “spider+man+streaming,” and “spider+man+watch” obtained via Domains & Subdomains Discovery

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

Publicly Available XMR Miner Indicators of Compromise

Unfortunately, reports and news articles didn’t provide collated lists of indicators of compromise (IoCs) related to the threat. A quick examination of VirusTotal XMR Miner reports, however, allowed us to identify 15 IP addresses and three domains identified as malware hosts. Examples are 13[.]107[.]4[.]52, arc[.]msn[.]com, and 8[.]250[.]210[.]126.

Expanding the List of Indicators of Compromise

To enable users to get utmost protection from the threat, we dug deeper into the IoCs we initially obtained.

Reverse IP lookups for the 15 IP addresses gave us a list of 614 possibly connected domains as these shared hosts with the identified IoCs. Examples include:

• 3[.]tlu[.]dl[.]delivery[.]mp[.]microsoft[.]com[.]c[.]footprint[.]net
• abcvod[.]movenetworks[.]com[.]c[.]footprint[.]net
• cdn-level3[.]streaming[.]ukfast[.]co[.]uk[.]c[.]footprint[.]net
• disney[.]com[.]c[.]footprint[.]net
• ea[.]na[.]lvlt[.]cdn[.]ea[.]com[.]c[.]footprint[.]net
• fg[.]b1[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net
• gs2[.]ww[.]prod[.]dl[.]playstation[.]net[.]c[.]footprint[.]net
• ii[.]wbshop[.]com[.]c[.]footprint[.]net
• level3[.]pdl[.]warnerbros[.]com[.]c[.]footprint[.]net
• media[.]dcentertainment[.]com[.]c[.]footprint[.]net

Note the appearance of popular brand names in the domains, such as “microsoft,” “disney,” “playstation,” “warnerbros,” and “dcentertainment.”

Careful scrutiny of the dates the domains were first seen revealed that none of them were registered close to the 17 December 2021 Spider-Man: No Way Home U.S. release date, sites hosted on domains like iwanttfc[.]com, bittorrent-sw[.]vo[.]llnwd[.]net, blinkbox[.]vo[.]llnwd[.]net, delvenetworks[.]com, and hbo[.]vo[.]llnwd[.]net may trick users into thinking they can download the movie from the pages. Most of these websites were either blank or resolved to error pages based on screenshot lookups. Two domains, in particular, led to what looks to be the same streaming service page.

DNS lookups, as mentioned earlier, led to three connected IP addresses. While none of them were malicious at the time of writing, their ties to the domains identified as IoCs on VirusTotal should make users wary of accessing them.

Streaming and Download Sites Users Should Steer Clear Of

Apart from breaking current box office records, Spider-Man: No Way Home reviews are bound to make more people want to watch the movie as soon as possible. We scoured the Web for domains and subdomains that contained Spider-Man-related strings.

Domains & Subdomains Discovery provided a list of 86 domains and 246 subdomains containing the strings “spider+man+download,” “spider+man+torrent,” “spider+man+online,” “spider+man+streaming,” and “spider+man+watch.” While none of them are dubbed “dangerous” by malware databases to date, any of them could be abused to infect the computers of unsuspecting users who wished to watch the latest Marvel Universe offering. Examples of the domains and subdomains are shown in the table below.

Based on our analysis, it’s clear that attackers could use several avenues (domains, subdomains, and IP addresses) for malicious campaigns trailing their sites on people desperate to watch Spider-Man: No Way Home. Users would do well to avoid accessing the web properties mentioned in this post.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.