If you download torrents, this news definitely concerns you. InfoArmor researchers have just disclosed Raum – a tool employed by Eastern European organized cybercrime group Black Team to spread malware via malicious torrents. The malware currently distributed in the campaign is mostly ransomware. In other words, torrents deliver a piece of ransomware such as CryptXXX or Cerber, the Dridex banking Trojan or the Pony information stealer.
Ransomware and Malware Dropped with Torrents
Malicious operators are packaging the tool with the most popular torrent files available online. The cybercriminals have definitely analyzed the torrent market and have chosen viral video, audio, software and other digital content downloads. The worst part is that famous torrent trackers are leveraged in the malicious scenario. Weaponized torrents packaged with malicious torrents have been detected by security researchers.
According to the report:
The so-called “RAUM” tool has been actively used on uncovered underground affiliate networks based on a “Pay-Per-Install” model (PPI). This model leverages paying cybercriminals to distribute malware through modified torrent files that are joined with malware. Members of these networks are invited by special invitation only, with strict verification of each new member.
We have already written about the pay-per-install model which is often at fault for the distribution of unwanted and malicious software. Symantec researchers have previously dubbed pay-per-install “the new malware distribution network“, stressing on the fact that in the foreseeable past malware (like worms) was self-propagating with the help of server-side vulnerabilities. The research results also depict the deceptive practices of some commercial PPI operators that currently persevere, and will likely continue to do so in the future.
In terms of the RAUM tool, “initially, the bad actors have used the uTorrent client in order to distribute the files. More recently, they have deployed a special infrastructure that allows them to manage new seeds using a broad network of dedicated and virtual servers – including hacked devices,” researchers say.
Furthermore, the cybercriminals were also seeding torrents via newly created and compromised accounts that belonged to other users. The second was obviously done to add good reputation to the uploaded files.
We have identified in excess of 1,639,000 records collected in the past few months from the infected victims with various credentials to online-services, gaming, social media, corporate resources and exfiltrated data from the uncovered network.
Why are torrents being deployed in malware distribution?
The obvious answer is that cybercriminals are using this scheme and the RAUM tool as an alternative to employing botnets. The pay-per-install model also pays off quite well as criminals are paid for each malware drop.
To prevent a malicious download from happening, install and sustain a powerful anti-malware program.