Pirate matryoshka

The use of torrent trackers to spread malware is a well-known practice; cybercriminals disguise it as popular software, computer games, media files, and other sought-after content. We detected one such campaign early this year, when The Pirate Bay (TPB) tracker filled up with harmful files used to distribute malware under the guise of cracked copies of paid programs.

We noticed that the tracker contained malicious torrents created from dozens of different accounts, including ones registered on TBP for quite some time.

Torrent content

Instead of the expected software, the file downloaded to the user’s computer was a Trojan, whose basic logic was implemented by SetupFactory installers. Our security solutions detect the malware as Trojan-Downloader.Win32.PirateMatryoshka.

At the initial stage, the installer decrypts another SetupFactory installer for displaying a phishing web page.

The page opens directly in the installation window and requests the user’s TBP account credentials, supposedly to continue the process.

The compromised accounts were most likely used by the cybercriminals to spread more malicious torrents on the resource — we noted above that not only newly created accounts were used for this purpose.

Before performing the next step, PirateMatryoshka verifies that it is running in the attacked system for the first time. To do so, it checks the registry for the path HKEY_CURRENT_USER\Software\dSet. If it exists, further execution is terminated. If the checking result is negative, the installer prods the pastebin.com service for a link to the additional module and its decryption key.

The second downloaded component is also a SetupFactory installer, used to decrypt and run four PE files in sequence:

The second and fourth of these files are downloaders for the InstallCapital and MegaDowl file partner programs (classified by us as Adware). They usually make their way to users through file sharing sites — besides downloading the required content, their goal is to install additional software while carefully hiding the option to cancel. For example, in InstallCapital the full list of installable software is placed at the end of the license agreement:

And in MegaDowl, the list is hidden behind the seemingly inactive Advanced settings button:

The other two files are autoclickers written in VisualBasic, which are required to prevent the user from canceling the installation of the additional software (in which case the cybercriminals go empty-handed). The autoclickers are run before the installers; when the installer windows are detected, they check the boxes and click the buttons needed to give the user’s consent to install the unnecessary software.

As a result of PirateMatryoshka’s efforts, the victim computer is flooded with unwanted programs that pester the user and waste system resources. On a separate note, the owners of file partner programs often do not track the programs offered in their downloaders. Our research shows that one in five files offered by partner installers is malicious — among those we encountered pBot, Razy, and others.

Conclusion

Cybercriminals are always coming up with new kinds of fraud. In this particular case, they employed a method for delivering malicious content through torrent trackers to install adware on user computers. As a result, many TPB users not only picked up adware or malware on their machines, but had their accounts compromised.

Kaspersky Lab solutions detect PirateMatryoshka and its components with the following verdicts:

Trojan-Downloader.Win32.PirateMatryoshka
Trojan.Win32.InstClick
AdWare.Win32.StartSurf
AdWare.Win32.SmartInstaller
AdWare.Win32.Generic

IOCs

66860309953dc7cd7faee88ec90a81f6
7576b8677975261fbb1e799d0231ec01
64dc8f3197607dbf652b985edb99ad4e
035cff7c52460a69f77a0a09db05a6f7
a85f90f07dd9e8aab51c65d8287ec6be
a857ae5cb87b23359ed70b8177aa44d3
45d4df9b38a8f8da385714f32415cd34

Phishing domain

www.mobilekey[.]pw

Pirate matryoshka