Security researchers from InfoArmor discovered the existence of an automated network that can be used by cybercriminals to infect torrents with adware, ransomware, password stealing software and other forms of malware. Called RAUM, the tool scans for popular torrent files and creates a duplicate packaged with malicious code.
This second torrent is then distributed through torrent trackers, not just via new accounts but also via compromised accounts of existing users to increase the reputation of the uploaded files. Initially, the uTorrent client was used to distribute the cooked files, but now the criminals have turned to a special infrastructure consisting of a broad network of dedicated devices and virtual servers, including hacked devices.
InfoArmor warns the most attractive target for RAUM seems to be activation files for Windows and Office, as well as cracks for games. In some cases, the seeded malicious files remain online for over 1.5 months and result in thousands of successful downloads. Members of the RAUM network are reportedly invited by special invitation only, and get paid on a pay-per-install basis.
The full details about how cybercriminals use RAUM to trick Torrent users can be read over here. InfoArmor reports they found over 1.69 million records in the past few months from infected victims and strongly recommends extreme caution when visiting torrent trackers or downloading pirated content.
The threat actors’ infrastructure is based on a special monitoring system that provides them with the latest analytics of download trends along with several network nodes that are used for torrents leaches and their status monitoring. Despite the recent legal actions against famous torrent sites such as KickassTorrents, many torrent trackers are still actively used by cybercriminals for malicious file distribution under the umbrella of legitimate app and media file sharing. RAUM is a good example of a tool used by the Eastern European organized crime group known as “Black Team,” that has successfully commercialized such illegal activity by infecting thousands of innocent users.