14 DAY TRIAL // Symantec security researchers are warning of an ongoing malware distribution campaign that leverages interest in gaming piracy to install PUAs (Potentially Unwanted Applications) on users' PCs.
The company detected websites offering popular games for download in the form of a fake torrent file. When users attempted to download this fake torrent file, they received a small script that tried to execute automatically.
This file uses an icon that looks like the regular logo of the uTorrent BitTorrent client, making users believe it's a legitimate torrent file.
Windows UAC would be able to stop the attack, if not for users
In normal circumstances, the script would be stopped by the Windows UAC (User Access Control) system. The hackers took precautions by providing instructions prior to the script's download, telling users they have to allow the script to run, despite the UAC warning (pictured below).
If users allow this, the script would open the user's browser, navigate to a URL, and download another file.
This file contains the name of the game the user tried to download via the torrent file but packed as an EXE file.
Campaign targets non-technical users
As usual, technical users would have spotted something wrong with this torrent download routine a long time ago, but these campaigns are never aimed at them.
Crooks are successfully using these tactics against users with lesser knowledge of modern technologies or, in this case, who aren't regular users of BitTorrent software.
Symantec says that this particular EXE file distributed via this recent campaign installs PUAs on the users' PCs, in the form of apps that change the user's default browser search engine and install custom browsers inserting ads into every page.
For this campaign, the crooks used lures for games such as World of Warcraft: Legion (Blizzard Entertainment), Assassin’s Creed Syndicate (Ubisoft), The Witcher 3: Wild Hunt (CD Projekt), Tom Clancy’s The Division (Ubisoft), Just Cause 3 (Square Enix), and The Walking Dead: Michonne (Telltale Games).
"Symantec believes that the parties behind this campaign are attempting to fly under the radar by abusing numerous pay-per-install affiliate programs," the company explains. "While this campaign only spreads PUA downloaders, the same distribution model may be used to deliver additional security risks or even malware."
