Malware hiding in Textbooks and Essays

For students purchasing a new year’s worth of academic material and textbooks, the price for the books can be overwhelming. For those students, a quick search may reveal that the book they desperately need is available for free online. For a lot of students free beats paid 99% of the time, sadly, according to Kaspersky, many instances of these free textbooks are loaded with numerous strains of malware. Commonly, hackers have looked to infect those illegally downloading movies or TV series, as well as those looking to get an advantage over others by cheat codes in games. Both have long been the hunting grounds for hackers but the loading of malware on free academic material show that hackers never bind themselves to just one method when targeting users.

In an article Kaspersky revealed that,

“As it turns out, over the past academic year, cybercriminals who have been targeting the field of education have tried to attack our users more than 356,000 times in total. Of these, 233,000 cases were malicious essays that were downloaded to computers owned by more than 74,000 people and that our solutions managed to block.”

In about a third of those instances over 120,000 of them were linked with malware disguised in textbooks with over 30,000 users attempting to open the compromised academic material. In many instances, a lot of the textbooks compromised related to material associated with K-12 students, a collective term used to describe student before attending college or higher forms of tertiary education. Textbooks related to English and Maths appear to be the most popular targets for hackers to load with numerous malware variants. Less targeted were textbooks associated with the natural sciences and foreign languages. Hackers used a wide variety of malware strains, with less importance given to the type of malware and more given to simply infecting those looking for free academic material.

malware hiding in textbooks and essays

Of the numerous malware strains used by hackers to infect users looking to download free academic material, four seemed to be the most popular. The fourth-place went to MediaGet normally a free download that operates as a plugin for a torrent downloader. While not the most dangerous piece of malware, even calling malware is a little generous, used by the hackers it is still an application downloaded not agreed to by the user and can be a pain for the user in the long run. The second most popular piece of malware seen is WinLNK.Agent.gen downloader. This malicious downloader hides in archives as well as .zip or .rar files making it harder to detect. The archive contains a shortcut to a text file, which not only opens the document itself but also launches the attached malware components. This piece of malware is used to download and install other strains of malware. Hackers can use the downloader to install cryptominers, or ransomware, at a later date onto the victim's system. By delaying the payloads the victim may assume incorrectly that the textbook downloaded was safe and continue to download other compromised files.

In second place was another malicious downloader, Win32.Agent.ifdx that is often seen hidden in DOC, DOCX or PDF file formats. The downloader often appears a document complete with correct icons but it is indeed an application which can be used to download other pieces of malware just like in the example above. Recently, the downloader has been seen later downloading a range of cryptominers. This does not mean that it is and will be used exclusively for downloading cryptominers but can be used to download anything from ransomware to banking trojans. While called downloaders, the WinLNK.Agent and Win32.Agent can also be referred to as trojans as they effective unlock a backdoor to the now victims computer and can be used to download other pieces of malware if and when the hacker feels like it.

The last of the bog four and in the first place is not a downloader but a worm. The worm called Worm.Win32 Stalk.a by researchers at Kaspersky or simply Stalk for short was believed to no longer be in use. Turns out the worm was spread almost exclusively in material masquerading as academic essays and textbooks. Worms are pieces of malware which can automatically copy itself and spread to another computer. Use of such pieces of malware had declined massively in popularity in recent years then saw a resurgence with the leaking of EternalBlue an NSA hacking tool which exploited a vulnerability and allowed malware to be spread laterally across networks, put differently acted exactly like a piece of malware. In the case of Stalk, once a victim is infected Stalk penetrates all devices that are connected to it. For example, it can infect other computers on the local network or a USB flash drive containing the educational materials. This is a very insidious step because if you print out the essay using school or university resources via a flash drive, the worm will make its way onto the educational institution network. Further Stalk will attempt to email copies of itself to those in your contacts list to help further spread across computers.

All of the above examples share one thing in common and that is the delivery method. Users are often warned about downloading pirated software, movies, games, and TV series. These often target a wide audience of potential victims. Further, users are warned not to download applications to assist or downright cheat at their favorite online games. Little warning exists for those looking to better themselves via education. The price of textbooks and subscriptions to academic journals can be expensive and more than often are, meaning that students will look for better bargains. What better bargain exists than free? However, compromised files are never really free and come with unwanted passengers and further headaches.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal