Raum weaponises torrents to deliver malware
Wed 21 Sep 2016
Security researchers have identified a malware distribution network that uses the web’s most popular torrents to deliver malware along with torrent downloads.
Researchers at InfoArmor found that cybercriminals were monitoring torrent sites to target the most popular downloads. Malware is inserted into the parsed torrent files, and the weaponized file is then placed for further distribution through torrent trackers. The malware that has been discovered inserted into torrent files includes CryptXXX, Pony, a password-stealing program, and Dridex, an online banking trojan.
Distribution methods for torrents containing malware have changed over time. Initially, infected files were distributed using uTorrent, one of the most widely used BitTorrent clients worldwide. Now, however, it appears that the threat actors have created a new infrastructure of dedicated and virtual servers, including hacked devices, which are then used to seed malicious torrents.
InfoArmor identified over 1.6 million records of infected victims that have been compromised. Private material accessed by torrent-distributed malware included credentials associated with online services, corporate and business information, and social media and gaming resources.
The Raum tool has been distributed exclusively to threat actors by invitation only, who then distribute malware through torrents based on a pay-per-install (PPI) model. The more times the malware is installed unknowingly by a user, the more money the cybercriminal is due.
Torrents found on such popular sites as The Pirate Bay, Kickass Torrents, and TorrentHound, are under scrutiny because they are often used to share copyrighted material illegally between users. These materials include movies, music, and games. Then, last week, Google blocked access to The Pirate Bay on Chrome and Firefox, warning users that the site contained harmful programs. Users seeking access to the site encountered this statement, “Attackers on thepiratebay.org might attempt to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit).”
The team at InfoArmor recommends that users take extreme caution when visiting torrent download sites, or downloading pirated files.