14 DAY TRIAL // US security firm InfoArmor has discovered an underground cyber-crime network named RAUM that allows malware authors to pack their malicious payloads within torrent files and automates their distribution.
The network is supposedly run by an Eastern European group that calls itself the "Black Team."
The Black Team is gaming worldwide torrent trends
InfoArmor says the Black Team keeps an eye on global piracy trends and uses fake or hacked accounts on popular torrenting portals to upload torrents laced with malware.
It then uses the same fake/hijacked accounts, along with seed farms, to give a reputational boost to the malicious torrents, in order to appear at the top of user searches and have a higher chance of spreading their malicious payload.
Malware authors can create accounts on the RAUM service, after paying a fee and going through a rigorous vetting process. After that, they can use RAUM's automated processes to upload their malware inside torrent files. RAUM recommends which torrent files are currently popular, for a higher chance of succeeding.
RAUM distributes anything from adware to ransomware
Crooks can use RAUM to distribute legitimate software as part of PPI (Pay-per-Install) schemes or to distribute malware such as the Dridex banking trojan, the Pony infostealer, or the Cerber, CryptXXX and CTB-Locker ransomware families.
InfoArmos says that around 12 million users get infected with malware from torrents every month. Abused torrent sites include The Pirate Bay, ExtraTorrent, Demonoid, and Kickass Torrents, before it was shut down.
Because of the complex seeding system employed by RAUM, the malware-laced torrents often survive for more than 1.5 months.
RAUM is behind The Pirate Bay recent Safe Browsing warning
The most common infected torrents are for online games and activation files related to Microsoft Windows and Mac OS.
InfoArmor also reports that RAUM also offers fake torrent sites to spread the malicious torrents. The crooks are driving traffic to these sites using search engine results poisoning.
On September 17, both Google and Mozilla have blacklisted The Pirate Bay in their browsers. InfoArmor says this most recent warning came after the Safe Browsing team had detected malicious torrents on The Pirate Bay created via the RAUM service.
