InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet. The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code.
The so-called “RAUM” tool has been actively used on uncovered underground affiliate networks based on a “Pay-Per-Install” model (PPI). This model leverages paying cybercriminals to distribute malware through modified torrent files that are joined with malware. Members of these networks are invited by special invitation only, with strict verification of each new member.
The threat actors’ infrastructure is based on a special monitoring system that provides them with the latest analytics of download trends along with several network nodes that are used for torrents leaches and their status monitoring. Despite the recent legal actions against famous torrent sites such as KickassTorrents, many torrent trackers are still actively used by cybercriminals for malicious file distribution under the umbrella of legitimate app and media file sharing. RAUM is a good example of a tool used by the Eastern European organized crime group known as “Black Team,” that has successfully commercialized such illegal activity by infecting thousands of innocent users.
According to expert statistics, malicious torrents infect over 12 million users a month, creating significant security risks for users on a myriad of platforms. In many instances, popular ransomware such as CryptXXX, CTB-Locker and Cerber, online-banking Trojan Dridex, password stealing spyware Pony, and others were associated with the identified RAUM instances. We have identified in excess of 1,639,000 records collected in the past few months from the infected victims with various credentials to online-services, gaming, social media, corporate resources and exfiltrated data from the uncovered network.
