Researchers at InfoArmor have uncovered a new tool that allows cybercriminals to package malware into popular torrent files. This new tool is called RAUM and is believed to have been created by an Eastern European crime group by the name of Black Team. The new tool uses a “pay-per-install” model which is only available in a strict invitation-only underground forum. The RAUM tool even has an interface that allows the criminals to see their malware campaign statistics.
Researches have identified the RAUM tool as spreading popular ransomware such as CryptXXX, CTB-Locker and Cerber, Dridex banking Trojan, and Pony data stealer.
According to InfoArmor:
The so-called “RAUM” tool has been actively used on uncovered underground affiliate networks based on a “Pay-Per-Install” model (PPI). This model leverages paying cybercriminals to distribute malware through modified torrent files that are joined with malware. Members of these networks are invited by special invitation only, with strict verification of each new member.
Threat actors were systematically monitoring the status of the created malicious seeds on famous torrent trackers such as The Pirate Bay, ExtraTorrent and many others. In some cases, they were specifically looking for compromised accounts of other users on these online communities that were extracted from botnet logs in order to use them for new seeds on behalf of the affected victims without their knowledge, thus increasing the reputation of the uploaded files.