February 6, 2017 By Larry Loeb 2 min read

Cybercriminals have been using digital rights management (DRM) files in Windows to transport malware for a while. Social engineering was often an integral part of this process since any attempt to open these files in Windows Media Player (WMP) would then generate a pop-up that redirected the target’s default browser to an attacker-controlled website. That website was the beginning of an infection.

Now, attackers are using this process for more than just malware. Researchers recently found that the Tor browser and privacy controls can be affected by a malicious DRM file.

Malicious DRM Files

Malicious DRM files work by causing Windows Media Player (WMP) to generate a pop-up requesting permission to redirect the default browser “to the content provider’s website to find out how to obtain the necessary play rights,” Hacker House reported. Once a user agrees, he or she is sent to a malware-laden page and the infection process begins. However, this only happens when users attempt to open unlicensed files.

But now, cybercriminals have devised a way for a file with a proper DRM license to redirect the browser without so much as a prompt. Not only could this lead to malware, but it could also contribute to a massive loss of privacy for certain users.

Tor Troubles

Bleeping Computer, reporting on the Hacker House findings, noted that these DRM files can cause problems when opened in the privacy-enhanced Tor browser. Attackers can capture victims’ credentials surreptitiously by using cryptographically signed DRM files.

The attackers’ website appears legitimate to detract attention from the fraudulent URL. Users who interact with the site risk revealing their IP addresses or other credentials through normal system calls. For Tor users, many of whom are using the browser specifically to hide these details, this is a worst case scenario.

Hacker House posted a short video that showed how the malware operators can extract a victim’s IP with a single click. It’s easy to see how a malicious, signed DRM file might also silently ping an attacker-controlled URL to report a victim’s status and location.

Big Money Malware

Since the DRM signing process can cost around $10,000, only cybercriminals with deep pockets can fund such a scheme. Those who can afford it, however, have a significant advantage when it comes to spreading malware.

This social engineering scheme is sneaky enough to fool even security-savvy Tor users. To be safe, everyone should avoid all unknown DRM files, no matter how enticing the title may be.

More from

Is AI saving jobs… or taking them?

3 min read - Artificial intelligence (AI) is coming to take your cybersecurity job. Or, AI will save your job.Well, which is it?As with all things security-related, AI-related and employment-related, it's complicated.How AI creates jobsA major reason it's complicated is that AI is helping to increase the demand for cybersecurity professionals in two broad ways. First, malicious actors use AI to get past security defenses and raise the overall risk of data breaches. The bad guys can increasingly use AI-based tools for improved reconnaissance…

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations.Both reports shed light on the persistent and growing threat of credential…

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today