U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Uncategorized

Crooks use The Pirate Bay to spread PirateMatryoshka malware via reputed seeders

Crooks are abusing the torrent website The Pirate Bay to distribute the PirateMatryoshka malware that fuels the victim’s PC with unwanted software. Crooks abusing torrent services to distribute malware is not a novelty, Torrent users are often exposed to serious threats such if the one recently spotted by Kaspersky Lab and dubbed by the expert […]

Crooks are abusing the torrent website The Pirate Bay to distribute the PirateMatryoshka malware that fuels the victim’s PC with unwanted software.

Crooks abusing torrent services to distribute malware is not a novelty, Torrent users are often exposed to serious threats such if the one recently spotted by Kaspersky Lab and dubbed by the expert PirateMatryoshka.

The PirateMatryoshka is a new piece of malware hosted by The Pirate Bay torrent tracking website, it has been estimated that it was already downloaded about 10,000 times.

“We noticed that the tracker contained malicious torrents created from dozens of different accounts, including ones registered on TBP for quite some time.” reads the post published by Kaspersky.

“Instead of the expected software, the file downloaded to the user’s computer was a Trojan, whose basic logic was implemented by SetupFactory installers. Our security solutions detect the malware as Trojan-Downloader.Win32.PirateMatryoshka.”

Once the malware was downloaded, it installs adware programs and other tools on the users’ computers making it virtually useless. The
PirateMatryoshka malware is dropped by a Trojan-downloader that has been hidden in tainted versions of legit software.

PirateMatryoshka

Experts noticed that the PirateMatryoshka malware is being distributed by seeders with a good reputation and that were never involved in fraudulent activities.

The attack starts with the downloader decrypting another SetupFactory installer for displaying a phishing web page that prompts users a fake login page for ThePirateBay. The compromised accounts were likely used by the attackers to spread other malicious torrents.

Before performing other actions, the PirateMatryoshka checks that it is running in the attacked system for the first time by analyzing the registry key HKEY_CURRENT_USER\Software\dSet. If the result is negative, the installer access a pastebin.com page to receive a link to the additional module and its decryption key.

The downloader also drops another SetupFactory installer, used to decrypt and run four PE files in sequence.

“The second and fourth of these files are downloaders for the InstallCapital and MegaDowl file partner programs(classified by us as Adware).” continues the experts.

“The other two files are autoclickers written in VisualBasic, which are required to prevent the user from canceling the installation of the additional software (in which case the cybercriminals go empty-handed). “

The PirateMatryoshka malware floods the victim computer with unwanted programs.

Indicators of Compromise are included in the report published by Kaspersky.

Be cautious when using Torrent websites and always check downloaded content for malicious code.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – PirateMatryoshka malware, Torrent)

[adrotate banner=”5″]

[adrotate banner=”13″]