Security firm finds tool for distributing malware in torrents

Security firm InfoArmor has discovered a tool that allows attackers to spread malware by bundling it with files shared via torrents. Criminals would get paid for distributing malware with the tool.

According to the company, the tool is called ‘Raum’. For example, by creating and seeding malicious torrents of popular movies or games, criminals were able to infect the systems of people who downloaded these files. The malware mainly consists of ransomware variants such as Cerber and CryptXXX. The banking Trojan Dridex and password stealing malware are also associated with the tool. In total, the company found about 1.6 million data from infected victims’ systems, including passwords for various online services. The Eastern European group Black Team is said to be behind the Raum tool.

The software features a management panel, which allows users to keep track of the number of torrents infected on various torrent sites. In addition, they are given indications such as ‘active’, ‘closed’, or ‘detected by antivirus’. In some cases, these files have been present on these sites for more than a month and a half, InfoArmor said. Raum users would have a preference for infecting files as activators for games and other software. Accounts of members of the torrent sites are also being used to give the malicious torrents more credibility, the company said.

Raum’s model works on an invitation basis, where criminals were paid per infection by a malicious download. InfoArmor doesn’t explain how it found out about the tool’s existence.

Raum infected torrents, image via InfoArmor