Despite their popularity among users, torrents are very risky “business”. Apart from the obvious legal trouble you could face for violating the copyright of musicians, filmmakers or software developers, there are security issues linked to downloading them that could put you or your computer in the crosshairs of the black hats.
Merely downloading the newest version of BitTorrent clients – software necessary for any user who wants to download or seed files from this “ecosystem” – could infect your machine and irreversibly damage your files.
This was proven true on multiple occasions in 2016 when attackers targeted macOS users by hijacking a version of the Transmission app – a legitimate and widely used BitTorrent client – and then used it to spread nasty malware families.
The first attack was documented in March 2016, when victims downloaded ransomware known as KeRanger, which encrypted data (thus rendering it inaccessible). Despite the quick reaction of Transmission’s developers, who removed the trojanized version of the app only a few hours after it appeared on the official website, it still hit thousands of victims worldwide.
What is worse, KeRanger’s creators used a cryptographic algorithm that was effectively unbreakable, rendering victims’ data inaccessible.
Another case following the same path occurred in August 2016. macOS malware called OSX/Keydnap, spread using yet another hijacked version of the Transmission software – planting a permanent backdoor in infected devices and stealing credentials stored in the Keychain app.
Again, the official team of the BitTorrent client was fast to react and removed the trojanized app from the website within minutes after being notified by ESET researchers.
However, the threat posed by torrents extends beyond these clients. Risks are also associated with the downloaded files, which can pose as a popular software, games or movies, but turn out to be something completely different – often malevolent.
This was the case with Sathurbot backdoor trojan, a threat documented by ESET researchers in April 2017. The affected devices were infected via malicious torrents and added to a botnet that scanned the internet for WordPress administrator accounts. These were then targeted by a distributed brute-force attack.
To ensure its further propagation, Sathurbot masked itself as a popular movie or software, and misused the hijacked WordPress accounts to further propagate its original malicious torrent. As a result, the trojanized files were very well seeded and appeared legitimate “to the untrained eye”.
The movie torrent bundle contained a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contained an apparent installer executable and a small text file. The objective of both was to push the victim to run the executable that loaded the Sathurbot DLL.
In February 2017, black hats misused BitTorrent sites again, this time to distribute new ransomware called “Patcher”, seemingly an application for pirating popular software.
The Torrent contained a single ZIP file – an application bundle. ESET researchers saw two versions of this malware, one posing as a “Patcher” for Adobe Premiere Pro and one for Microsoft Office for Mac. However, our analysis was not exhaustive and there might have been other versions in the wild.
Even though the malware was poorly coded, its encryption routine was effective enough to prevent victims from accessing the affected files. Additionally, the ransomware didn’t have any code to communicate with a C&C server. This means that there was no way to send the key – used to encrypt the files – to the malware operators and, hence, no way for them to provide the decryption key to the victims.
These are only a few examples of BitTorrent clients and torrents themselves, being a popular vector for cybercriminals who use it to infect large numbers of unaware users with malware or to gain control over their computers and misuse them for malicious purposes.
written by Ondrej Kubovic, ESET We Live Security