Kaspersky Lab researchers have detected a new malware spreading through the Pirate Bay – one of the most popular torrent trackers. The malware aims to infect users’ PCs with adware and tools for additional malware installation. It has multilayered structure and due to its hidden, seemingly endless stack of functionality, the threat has been named PirateMatryoshka, after the classic Russian stacking doll.
Kaspersky Lab researchers have detected a new malware spreading through the Pirate Bay – one of the most popular torrent trackers. The malware aims to infect users’ PCs with adware and tools for additional malware installation. It has multilayered structure and due to its hidden, seemingly endless stack of functionality, the threat has been named PirateMatryoshka, after the classic Russian stacking doll.
Torrent services are mainly used for the distribution of “pirated” content that is illegal in most countries as it can infringe intellectual property rights, yet they remain easily accessible online. They are a popular target for cybercriminals looking to distribute malicious code, not least because users in search of illegal content often disconnect their online security solutions or ignore system notifications in order to install the downloaded content.
The newly discovered PirateMatryoshka malware carries a Trojan-downloader (malware that downloads malicious installers) disguised as a hacked version of legitimate software used in everyday PC activity.
The malware uses a sophisticated method of self-propagation from the social engineering point of view. While the vast majority of malicious code discovered on torrent websites is usually spread through newly set up user accounts (seeders), PirateMatryoshka malware is spread using established seeders with no known history of malicious activity. The latter makes an effective distribution process, because due to the good reputation of the seeder, potential victims have no reason to doubt that the file to be downloaded is safe.
Once a user clicks on the installer, PirateMatryoshka’s infection process begins. First, it shows the victim a copy of The Pirate Bay page that is in fact a phishing page, asking them to enter their credentials to continue the installation. Later this malware uses these credentials to create new seeders distributing more of PirateMatryoshka. The research shows that so far, the phishing link has been accessed around 10,000 times.
Pirate Matryoshka’s scheme of infection and distribution on Pirate Bay
The infection process continues even if user credentials are not entered, with the malware unpacking further malicious modules. These include a malicious clicker that, among other things can check the ‘agree’ box that triggers the adware installer, flooding a victim’s device with unsolicited software. About 70% of installed programs are adware such as pBot, and 10% are detected as malware that can bring other malware onto the PC, such as another Trojan downloader.
PirateMatryoshka, therefore, combines sophisticated, multi-functional malware with effective distribution functionality for its own and other malicious code.
“We often see multi-layered malware, such as droppers, and find malicious installers that install more than one program on a user’s device. However, with PirateMatryoshka, this process is more sophisticated, as the malware that reaches a victim’s computer through the adware can introduce additional installers that are meant to bring more malware. This is quite advanced considering that this is an untargeted, mass attack that carries a phishing component for wider onward distribution,” – said Anton V. Ivanov, security researcher at Kaspersky Lab.
Kaspersky lab detects this malware as:
Trojan-Downloader.Win32.PirateMatryoshka
Trojan.Win32.InstClick
In order toprotect your devices, Kaspersky Lab advises the following:
- Use only legitimate software, downloaded from official webpages.
- Pay extra attention to the website's authenticity. Do not visit websites until you are sure that they are legitimate.
- Install reliable security solutions that securely auto-fills login credentials and provides comprehensive protection from a wide range of threats, such as Kaspersky Password Manager and Kaspersky Security Cloud
To learn more about PirateMatryoshka, please read the blog post available at Securelist.com
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 21 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.Learn more atwww.kaspersky.com.