Cybercriminals do not just limit themselves to entertainment products. You can also stumble upon a virus when looking for work- or study-related materials.

Security researchers from Kaspersky checked how frequently malicious content is encountered among materials that are posted for free access. To do this, they checked how many infections Kaspersky solutions identified in files with school- and student-related filenames.

They found that, over the past academic year, cybercriminals who have been targeting the field of education tried to attack Kaspersky users more than 356,000 times in total. Of these, 233,000 cases were malicious essays that were downloaded to computers owned by more than 74,000 people and that Kaspersky solutions managed to block.

About a third of those files were textbooks: the researchers detected 122,000 attacks by malware that was disguised as textbooks. More than 30,000 users tried to open these files.

English textbooks hiding malware were most popular among K-12 students with 2,080 attempted downloads. Math textbooks were the next most common, nearly infecting the computers of 1,213 students. Literature closes out the top three most dangerous subjects with 870 potential victims.

Criminals also targeted less popular subjects. The researchers have come across malware masquerading as textbooks in the natural sciences (18 users tried to download these) and in less commonly taught foreign languages at both the K-12 and college levels.

The four most popular malware types that are the most frequently distributed under the guise of study materials are the following:

MediaGet torrent application downloader

Sites with textbooks that are littered with enticing ‘Free Download’ buttons often give users the MediaGet downloader instead of the document that they were looking for. This is the most innocuous of surprises that awaits K-12 and college students who are searching for educational resources. This downloader will retrieve a torrent client that the user does not need.

WinLNK.Agent.gen downloader

Malware likes to hide in archives, since it is more difficult to detect a threat when it is inside a zip or rar file. This is the technique that is used, for example, by the WinLNK.Agent.gen downloader, which is also easy to pick up when you are looking for textbooks and essays. The archive contains a shortcut to a text file, which not only opens the document itself, but also launches the attached malware components.

They, in turn, can download another infection to the device. As a rule, these are malicious cryptomining programs that mine cryptocurrency for their owners using your device’s resources. As a result, your computer and internet connection speed will suffer, and your electricity bill may go up. Adware could also flood you with ad offers that you can’t refuse. In addition, this malware can download more dangerous programs.

Win32.Agent.ifdx malware downloader

There’s another downloader that’s often hidden under the guise of a textbook or an essay seemingly in DOC, DOCX or PDF format. Despite the fact that it pretends to be a document with the corresponding icon, it is in fact a program. Moreover, when it is launched it also opens a text file so that the victim does not realize that anything suspicious is going on. However, its main task is to download all sorts of bad things onto the victim’s computer.

Recently, this type of malware has shown a tendency to download various cryptominers. It is worth remembering that the priorities of malware distributors can change. Nothing prevents them from modifying the malware to download spyware, banking trojans that steal data from cards and accounts at online banks and stores, or even ransomware instead of cryptocurrency miners.
1st place: school spamming using the Stalk worm

School spamming using the Stalk worm

You can also get infected without visiting dubious sites. Spammers also distribute malicious textbooks and essays. This is the preferred method by which the Worm.Win32 Stalk.a worm is spread, for example.

Once it makes its way onto a computer, Stalk penetrates all devices that are connected to it. For example, it can infect other computers on the local network or a USB flash drive containing the educational materials. This is a very insidious step, because if you print out the essay using school or university resources via a flash drive, the worm will make its way onto the educational institution network.

However, this malware is not content with just doing this. To infect as many systems as possible, it will try to email itself to your contacts in your name. Fellow students and classmates are very likely to decide that your message is safe and open the attached malicious application.

Naturally, Stalk is dangerous not only because of its ability to spread itself over a local network and by email. The malware can download other malicious applications to the infected device, and also surreptitiously copy and send files from your computer to the malware owners.

One of the main probable reasons why the Stalk worm is still able to thrive is because educational institutions in general, and their printer systems in particular, often use hopelessly outdated versions of operating systems and other software. This allows the worm to continue to spread.
How to protect yourself from malicious ‘textbooks’ and ‘essays’

To avoid infection:

• If possible, search for the books you need in physical or online libraries
• Always pay attention to what type of site is hosting the textbook that you want to download. Do not visit dubious resources that are full of flashing ‘download’ buttons or that require you to install a downloader first
• Do not use outdated versions of operating systems and other software.
• Be critical of email attachments, including ones that are sent from acquaintances.
• Pay attention to the extensions of the files that you are downloading. If you download an EXE file instead of a document, then you should not open it