Pirate Matryoshka: A nesting doll Trojan from Pirate Bay
Credit to Author: Pavel Shoshin| Date: Thu, 07 Mar 2019 11:55:26 +0000
The battle against torrents has been going on for so long that any attempt at warning about a torrent threat is bound to be met with mistrust: “Here come the copyright holders with their tales of horror again!” Well, not every tale is a lie.
Meet Andrew. Andrew wanted to download a very important file from a torrent tracker real bad. What Andrew didn’t know is that whereas he uses torrents to save money, individuals with a lower level of social responsibility use them to make a buck off Andrew. For example, they could do so by using a scheme that we recently identified on The Pirate Bay, where scammers started seeding a host of cracked software copies, replacing the original source files with malicious files of their own.
How Pirate Matryoshka, the torrent malware from Pirate Bay, works
When Andrew ran the file that was slipped in by the hackers, the installer displayed a fake Pirate Bay authentication window. Our hero took that window for granted and entered his login and password, which of course went directly to the creators of the malware. Now Andrew’s account is used to create new fake uploads — and that’s why you cannot identify a fake by looking at the account registration date alone.
Fake authentication windows help scammers access user accounts, which are then used to create more “booby-trapped” uploads
However, account hijacking is not where the scammers make their money. That honor goes to partner programs, which pay for each installation of certain software on a victim’s machine. So, together with the application Andrew actually needs, he gets a few extras. A lot of extras, in fact.
Although the bonus software is not always malware — by our estimate, malicious apps account for only one in five — it does not make the user’s life any easier. From this day on, Andrew will have to battle legions of optimization programs that obscure his screen with ads, browser toolbars that change the homepage and add their banners to every website, and even Trojans.
A partner software installer has done its job
Now, Andrew would have had a chance if he had run a similar file downloaded from elsewhere; the makers of partner software installers, despite being in a legal gray area, leave the user the opportunity to decline. You have to dig a little to find that option, though:
A lot of extra software comes with the application you were looking for. With Pirate Matryoshka, you cannot decline the favor
But if you are looking at the Pirate Bay infection that we have christened Pirate Matryoshka, there’s no way for you to skip the extras — because of certain features of the software. Before triggering the installation process, the malware runs autoclicker modules that automatically tick every box, leaving you no chance to decline.
Conclusion
If you are downloading something from torrent trackers, be prepared to encounter malware. This is especially relevant for software downloads, which inevitably contain executable files.
However, it would be naive to assume that Andrew’s fate will never befall you if you just stay away from torrents and cracked software. You can find a “partner installer” pretty much anywhere, so you either have to avoid all executables downloaded from the Internet or have a reliable antivirus tool at the ready. Kaspersky Internet Security, for example, can detect and neutralize every component of Pirate Matryoshka and others of its kind.