Eastern European crime syndicates are using a new tool to identify the most popular, legal file-shares and downloads on the web—and are then packaging them with malware. More than 1.6 million records, including credentials to online services, gaming and social media logins, corporate resources and exfiltrated data, have turned up on the Dark Web as a result.
Bad actors are now analyzing trends on video, audio, software and other digital content downloads from around the globe, creating seeds on famous torrent sites like The Pirate Bay and ExtraTorrent to alert them to popular content. Then, using a special tool called “RAUM,” cyber-criminals can package malware with those files to create weaponized torrents.
According to InfoArmor, one of the most attractive targets are PC-based online games, along with the activation files for operating systems like Microsoft Windows and Mac OS.
Overall, malicious torrents infect more than 12 million users a month with ransomware and banking Trojans and more. So far, hot ransomware such as CryptXXX, CTB-Locker and Cerber, online-banking Trojan Dridex, password stealing spyware Pony, and others have been associated with the identified RAUM instances.
InfoArmor said that the Eastern European organized crime group known as Black Team has successfully commercialized the illegal activity, making the RAUM tool actively available on underground affiliate networks based on a pay-per-install model. A special infrastructure is in place that allows users to manage new malicious downloads using a broad network of dedicated and virtual servers—including hacked devices.
Members of these networks are invited by special invitation only, with strict verification of each new member.
“The threat actors’ infrastructure is based on a special monitoring system that provides them with the latest analytics of download trends along with several network nodes that are used for torrents leaches and their status monitoring,” the firm said in a blog. “Despite the recent legal actions against famous torrent sites such as KickassTorrents, many torrent trackers are still actively used by cyber-criminals for malicious file distribution under the umbrella of legitimate app and media file-sharing.”
The lifespan of the malicious files can last a month or two, resulting in thousands of successful downloads. “In some cases, they were specifically looking for compromised accounts of other users on these online communities that were extracted from botnet logs in order to use them for new seeds on behalf of the affected victims without their knowledge, thus increasing the reputation of the uploaded files,” InfoArmor explained.
Photo © Sergey Nivens