- Nicknamed Pirate Matryoshka, the malware is deployed through torrent trackers such as The Pirate Bay, where files installed adware on the victim’s machine.
- Attackers created fake malicious torrents brandished as original copies of paid software.
Leveraging torrents to deploy malware are quite popular. However, a recent campaign has seen fake torrents being flooded on websites such as The Pirate Bay (TPB). These torrents were found to have a malware dubbed as Pirate Matryoshka. Security firm Kaspersky Labs discovered this malware and its campaign.
How does the malware operate?
- If a user tries to download files from the fake torrents, a malware labeled as Trojan-Downloader.Win32.PirateMatryoshka is dumped into the system.
- This malware decrypts another installer which displays a phishing web page. This page asks the user’s TPB credentials which upon entering is sent to the attacker(s).
- This installer also sets up adware which are forms of file partner programs. Subsequently, the user’s machine is filled with unwanted programs.
- According to Kaspersky, other malware such as pBot and Razy were also installed by these partner programs.
Checks for earlier instances - Kaspersky mentioned that the malware checks compromised systems to see if it’s the first instance of the infection.
The blog highlights, “..PirateMatryoshka verifies that it is running in the attacked system for the first time. To do so, it checks the registry for the path HKEY_CURRENT_USER\Software\dSet. If it exists, further execution is terminated. If the checking result is negative, the installer prods the pastebin.com service for a link to the additional module and its decryption key.”
Furthermore, it is believed that compromised TPB accounts were used to spread more malicious torrents on affected systems. Thus, Pirate Matryoshka is considered to be more penetrative compared to other malware.