RAUM tool allows to spread malware through torrent files

Pierluigi Paganini September 22, 2016

InfoArmor has discovered the RAUM tool in criminal forums, it is a special tool to distribute malware by packaging it with popular torrent files.

It is not a novelty, torrent files are a privileged channel for malware diffusion, according to a study conducted by researchers at Digital Citizens Alliance and RiskIQ, almost one-third of the 800 torrent sites served malware on the users’ machine between June and August 2015.

Now a new tool appeared on the cyber crime underground allows cyber criminals to distribute malware through torrent files in exchange for a fee.

Experts from InfoArmor discovered the tool, so-called RAUM tool, in invite-only underground forums.

According to InfoArmor, the creators of RAUM tool belong to an Eastern European organized crime group known as Black Team.

It leverages torrent files, especially games, to spread malware. The RAUM tool allows to package torrent files with malware and then uploaded for victims to download.

The experts at InfoArmor pointed out the innovative “Pay-Per-Install” model implemented by the crooks behind the RAUM tool.

“The so-called “RAUM” tool has been actively used on uncovered underground affiliate networks based on a “Pay-Per-Install” model (PPI). This model leverages paying cybercriminals to distribute malware through modified torrent files that are joined with malware. Members of these networks are invited by special invitation only, with strict verification of each new member.” reads the blog post published by InfoArmor.

The RAUM tool allows crooks to monitor the status of their malicious campaigns, through its interface, it is possible to control malware diffusion over popular sites such as The Pirate Bay and ExtraTorrent.

“Threat actors were systematically monitoring the status of the created malicious seeds on famous torrent trackers such as The Pirate Bay, ExtraTorrent and many others. In some cases, they were specifically looking for compromised accounts of other users on these online communities that were extracted from botnet logs in order to use them for new seeds on behalf of the affected victims without their knowledge, thus increasing the reputation of the uploaded files.” continues the post.


“In some cases, the lifespan of these seeded malicious files exceeded 1.5 months and resulted in thousands of successful downloads,” InfoArmor said.

In some cases, the creators of the RAUM tool have attempted to hijack the accounts of known uploaders of torrent files in order to use them to spread trojanized torrent files.

Security experts associated identified RAUM tool instances with popular ransomware such as CryptXXX, CTB-Locker and Cerber, Dridex banking Trojan, and Pony data stealer.

The report published by InfoArmor also includes the IoC for the RAUM tool.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – RAUM tool, Torrent)

you might also like

leave a comment