This underground cyber-crime network named RAUM was discovered by the U.S. security firm InfoArmor, who said that the RAUM was used in active campaigns to spread malware through torrents. Researchers at InfoArmor discovered that RAUM has been used to essentially “weaponize” torrents to spread a variety of ransomware types including, CryptXXX, CTB-Locker and Cerber, the online-banking Trojan Dridex and password stealing spyware Pony. “RAUM is a special system developed by the owners of the identified underground malicious network, used for two things – analysis of trending torrent files on torrent trackers with high number of downloads, and further repacking of this files with malware for further distribution. The system uploads final weaponized torrent file to the same trackers under various stolen user accounts, having good reputation there,” Andrew Komarov, InfoArmor’s CIO, told in an email. Once the torrent tracker identifies the most popular content being downloaded at that time, malware is inserted into the parsed torrent files, and the weaponized file is then placed for further distribution through popular torrent sites like PirateBay, ExtraTorrent and TorrentHound. “Later, they upload them to the same trackers, and other trackers, using stolen credentials of ‘seeders’, having good reputations on them, as it helps their files to be distributed better. In such way, they infect big number of users systematically,” Komrarov added. According to the researchers, “Threat actors were systematically monitoring the status of the created malicious seeds on famous torrent trackers such as The Pirate Bay, ExtraTorrent and many others. “In some cases, they were specifically looking for compromised accounts of other users on these online communities that were extracted from botnet logs in order to use them for new seeds on behalf of the affected victims without their knowledge, thus increasing the reputation of the uploaded files.” “We have identified in excess of 1,639,000 records collected in the past few months from the infected victims with various credentials to online-services, gaming, social media, corporate resources and exfiltrated data from the uncovered network,” they added. The RAUM tool has been distributed exclusively to threat actors by invitation only, who then distribute malware through torrents based on a pay-per-install (PPI) model. The more times the malware is installed unknowingly by a user, the more money the cybercriminal is due. Considering how important trust is in the torrent community, if major uploaders were compromised, malware distribution could be increased exponentially. “In some cases, the lifespan of these seeded malicious files exceeded 1.5 months and resulted in thousands of successful downloads,” InfoArmor says.
The most popular targets are PC-based online games and activation files (as opposed to video and music files) for operating systems including Microsoft Windows and Apple Mac OS. “All of the created malicious seeds were monitored by cybercriminals in order to prevent early detection by [anti-virus software] and had different statuses such as ‘closed,’ ‘alive,’ and ‘detected by antivirus.’ Some of the identified elements of their infrastructure were hosted in the TOR network,” InfoArmor explains. Users should take extreme caution when visiting torrent download sites, or downloading pirated files, recommends the team at InfoArmor. As an additional precautionary measure, we would suggest the users to refrain from installing any software from untrusted sources, irrespective where they are found online.