The use of torrent trackers to spread is a well-known practice; cybercriminals disguise it as popular , computer games, media files, and other sought-after content. We detected one such campaign early this year, when The Pirate Bay (TPB) tracker filled up with harmful files used to distribute malware under the guise of cracked copies of paid programs.

- 190305 piratebay malware 1 - Pirate matryoshka | Securelist

Malicious torrents in the TPB index

We noticed that the tracker contained malicious torrents created from dozens of different accounts, including ones registered on TBP for quite some time.

- 190305 piratebay malware 2 - Pirate matryoshka | Securelist

Description of a malicious torrent

Torrent content

Instead of the expected software, the file downloaded to the user’s computer was a Trojan, whose basic logic was implemented by SetupFactory installers. Our solutions detect the malware as Trojan-Downloader.Win32.PirateMatryoshka.

- 190305 piratebay malware 3 - Pirate matryoshka | Securelist

Generalized algorithm of the PirateMatryoshka sample

At the initial stage, the installer decrypts another SetupFactory installer for displaying a phishing web page.

- 190305 piratebay malware 4 - Pirate matryoshka | Securelist

Retrieving the first malicious component

The page opens directly in the installation window and requests the user’s TBP account credentials, supposedly to continue the process.

- 190305 piratebay malware 5 - Pirate matryoshka | Securelist

- 190305 piratebay malware 6 - Pirate matryoshka | Securelist

Phishing page to obtain TBP accounts

The compromised accounts were most likely used by the cybercriminals to spread more malicious torrents on the resource — we noted above that not only newly created accounts were used for this purpose.

Before performing the next step, PirateMatryoshka verifies that it is running in the attacked system for the first time. To do so, it checks the registry for the HKEY_CURRENT_USERSoftwaredSet. If it exists, further execution is terminated. If the checking result is negative, the installer prods the service for a link to the additional module and its decryption key.

- 190305 piratebay malware 7 - Pirate matryoshka | Securelist

- 190305 piratebay malware 8 - Pirate matryoshka | Securelist

Retrieving the second malicious component

The second downloaded component is also a SetupFactory installer, used to decrypt and run four PE files in sequence:

- 190305 piratebay malware 9 - Pirate matryoshka | Securelist

The modules are run by the second malicious component

The second and fourth of these files are downloaders for the InstallCapital and MegaDowl file partner programs (classified by us as Adware). They usually make their way to users through file sharing sites — besides downloading the required content, their goal is to install additional software while carefully hiding the option to cancel. For example, in InstallCapital the full list of installable software is placed at the end of the license agreement:

- 190305 piratebay malware 10 - Pirate matryoshka | Securelist

Full list of installable software in InstallCapital

And in MegaDowl, the list is hidden behind the seemingly inactive Advanced settings button:

- 190305 piratebay malware 12 - Pirate matryoshka | Securelist

Full list of installable software in MegaDowl

The other two files are autoclickers written in VisualBasic, which are required to prevent the user from canceling the installation of the additional software (in which case the cybercriminals go empty-handed). The autoclickers are run before the installers; when the installer windows are detected, they check the boxes and click the buttons needed to give the user’s consent to install the unnecessary software.

- 190305 piratebay malware 14 - Pirate matryoshka | Securelist- 190305 piratebay malware 15 - Pirate matryoshka | Securelist

- 190305 piratebay malware 16 - Pirate matryoshka | Securelist

Searching for partner downloader windows and clicking them

As a result of PirateMatryoshka’s efforts, the computer is flooded with unwanted programs that pester the user and waste system resources. On a separate note, the owners of file partner programs often do not track the programs offered in their downloaders. Our research shows that one in five files offered by partner installers is malicious — among those we encountered pBot, Razy, and others.

- 190305 piratebay malware 17 - Pirate matryoshka | Securelist

Example of what a partner program downloader can do


Cybercriminals are always coming up with new kinds of fraud. In this particular case, they employed a method for delivering malicious content through torrent trackers to install adware on user computers. As a result, many TPB users not only picked up adware or malware on their machines, but had their accounts compromised.

Kaspersky Lab solutions detect PirateMatryoshka and its components with the following verdicts:




Phishing domain


Source link

No tags for this post.


Please enter your comment!
Please enter your name here