A new and sophisticated tool dubbed RAUM has been uncovered that targets naïve torrent users who download popular software or media content and then replaces the desired content with malware.
The internet security company InforArmor reported that RAUM has been used to essentially “weaponize” torrents to spread a variety of ransomware types including, CryptXXX, CTB-Locker and Cerber, the online-banking Trojan Dridex and password stealing spyware Pony. It does this through a two-prong attack.
“RAUM is a special system developed by the owners of the identified underground malicious network, used for two things - analysis of trending torrent files on torrent trackers with high number of downloads, and further repacking of this files with malware for further distribution. The system uploads final weaponized torrent file to the same trackers under various stolen user accounts, having good reputation there,” Andrew Komarov, InfoArmor's CIO, told SCMagazine.com in an email.
Once the torrent tracker identifies the most popular content being downloaded at that time, say a pirated version of Microsoft Windows or Office, the legit files are extracted and replaced with malware. The Pirate Bay and Extra Torrent are among the torrents being used, InfoArmor said.
“Later, they upload them to the same trackers, and other trackers, using stolen credentials of ‘seeders', having good reputations on them, as it helps their files to be distributed better. In such way, they infect big number of users systematically,” Komarov added.
RAUM stands out as a malicious tool as it goes after those least likely to understand the dangers of using torrents.
“This is a pretty unique, but very efficient, model of ransomware and malware delivery, as the people downloading torrents are not very experienced from security perspective, and it is really big. The bad actors optimize costs on malware delivery, and in such cases they don't need to spend resources on new exploits acquisition and "loads" services,” he said.
RAUM, and similar tools, also pose a threat to corporations as their employees may use personal devices to access torrent content, which are then connected to the company network.
“It bypasses firewalls and perimeter defenses, entering via BYOD and corporate assets used offline (off of the corporate domain) for downloading, etc.; completely blocking all software downloads on corporate assets is no longer pragmatic for many companies. This underscores that organizational security defenses must include the ability to identify malware by the behaviors it exhibits within the network and at endpoints. Signature solutions are wholly insufficient,” said Lastline CMO Bert Rankin to SCMagazine.com in an email.
There is no direct defense against RAUM other than not using torrent services, Komarov said.