This second torrent is then distributed through torrent trackers, not just via new accounts but also via compromised accounts of existing users to increase the reputation of the uploaded files. Initially, the uTorrent client was used to distribute the cooked files, but now the criminals have turned to a special infrastructure consisting of a broad network of dedicated devices and virtual servers, including hacked devices.
InfoArmor warns the most attractive target for RAUM seems to be activation files for Windows and Office, as well as cracks for games. In some cases, the seeded malicious files remain online for over 1.5 months and result in thousands of successful downloads. Members of the RAUM network are reportedly invited by special invitation only, and get paid on a pay-per-install basis.
The full details about how cybercriminals use RAUM to trick Torrent users can be read over here. InfoArmor reports they found over 1.69 million records in the past few months from infected victims and strongly recommends extreme caution when visiting torrent trackers or downloading pirated content.
The threat actors’ infrastructure is based on a special monitoring system that provides them with the latest analytics of download trends along with several network nodes that are used for torrents leaches and their status monitoring. Despite the recent legal actions against famous torrent sites such as KickassTorrents, many torrent trackers are still actively used by cybercriminals for malicious file distribution under the umbrella of legitimate app and media file sharing. RAUM is a good example of a tool used by the Eastern European organized crime group known as “Black Team,” that has successfully commercialized such illegal activity by infecting thousands of innocent users.