InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet. The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code.

The so-called “RAUM” tool has been actively used on uncovered underground affiliate networks based on a “Pay-Per-Install” model (PPI). This model leverages paying cybercriminals to distribute malware through modified torrent files that are joined with malware. Members of these networks are invited by special invitation only, with strict verification of each new member.

The threat actors’ infrastructure is based on a special monitoring system that provides them with the latest analytics of download trends along with several network nodes that are used for torrents leaches and their status monitoring. Despite the recent legal actions against famous torrent sites such as KickassTorrents, many torrent trackers are still actively used by cybercriminals for malicious file distribution under the umbrella of legitimate app and media file sharing. RAUM is a good example of a tool used by the Eastern European organized crime group known as “Black Team,” that has successfully commercialized such illegal activity by infecting thousands of innocent users.

According to expert statistics, malicious torrents infect over 12 million users a month, creating significant security risks for users on a myriad of platforms. In many instances, popular ransomware such as CryptXXX, CTB-Locker and Cerber, online-banking Trojan Dridex, password stealing spyware Pony, and others were associated with the identified RAUM instances. We have identified in excess of 1,639,000 records collected in the past few months from the infected victims with various credentials to online-services, gaming, social media, corporate resources and exfiltrated data from the uncovered network.

The Dashboard of Malicious Torrents Management

Threat actors were systematically monitoring the status of the created malicious seeds on famous torrent trackers such as The Pirate Bay, ExtraTorrent and many others. In some cases, they were specifically looking for compromised accounts of other users on these online communities that were extracted from botnet logs in order to use them for new seeds on behalf of the affected victims without their knowledge, thus increasing the reputation of the uploaded files. In some cases, the lifespan of these seeded malicious files exceeded 1.5 months and resulted in thousands of successful downloads.

Initially, the bad actors have used the uTorrent client in order to distribute the files. More recently, they have deployed a special infrastructure that allows them to manage new seeds using a broad network of dedicated and virtual servers – including hacked devices.

Architecture of Uncovered Malicious Torrent Distribution Networks

One of the most attractive categories for the monitoring and repackaging of torrents with malware is through various PC-based online-games along with the activation files for current operating systems including Microsoft Windows and Mac OS. In addition, several fake landing pages of torrent trackers proposing to install malware using search engine poisoning have also been identified.

Example of the Parsed Popular Torrent Files for Further Infection in the Bad Actors’ Monitoring System

All of the created malicious seeds were monitored by cybercriminals in order to prevent early detection by AV and had different statuses such as “closed,” “alive,” and “detected by antivirus.” Some of the identified elements of their infrastructure were hosted in the TOR network.

IOCs: riqclchjyebc43np.onion

On September 17, 2016, Google started to warn Firefox and Chrome users visiting some of the identified trackers with malware, such as The Pirate Bay, that the site could contact malicious software. InfoArmor strongly recommends that extreme caution be taken when visiting torrent trackers or downloading pirated digital content, operating systems and business software.