InfoArmor researchers have uncovered Raum, a tool that is used by Eastern European organized crime group “Black Team” to deliver malware to users through malicious torrents.
The group constantly tracks the downloaders’ preferences, and chooses to weaponize the most popular torrent files – usually PC games and activation files for Windows and macOS – with Raum.
The malware currently added to the torrent files is usually a piece of ransomware (CryptXXX, CBT-Locker, Cerber), the Dridex online banking Trojan or the Pony password-stealer.
The weaponized torrents are seeded via newly created accounts and compromised accounts of other users (the latter to add to the good reputation of the uploaded files).
“Initially, the bad actors have used the uTorrent client in order to distribute the files. More recently, they have deployed a special infrastructure that allows them to manage new seeds using a broad network of dedicated and virtual servers – including hacked devices,” the researchers explained.
The criminals are also keeping track of the malicious seeds to prevent early detection by AV solutions.
“In some cases, the lifespan of these seeded malicious files exceeded 1.5 months and resulted in thousands of successful downloads,” the researchers noted.
“We have identified in excess of 1,639,000 records collected in the past few months from the infected victims with various credentials to online-services, gaming, social media, corporate resources and exfiltrated data from the uncovered network.”
This tool and scheme is an alternative to using botnets for malware delivery. As with botnets, the criminals are paid for each malware delivery.
Downlading digital content – pirated or not – is still a good way to get infected if you’re not careful.