Cybercrime syndicate Black Team unleashes malicious network weaponising popular torrents to spread malware
RAUM has been targeting victims in the US, UK, Canada, Australia as well as some countries in Europe, through popular torrent sites like PirateBay and ExtraTorrent iStock

An Eastern European cybercrime syndicate called Black Team has established a massive underground malicious network, which is capable of weaponising popular torrent files to spread malware. Security researchers from InfoArmor discovered that the Black Team comprises of "professional malware developers" who created the malicious network, dubbed RAUM, in efforts to target millennials.

RAUM has been targeting victims in the US, the UK, Canada, Australia as well as some countries in Europe, through popular torrent sites like PirateBay and ExtraTorrent. InfoArmor researchers said RAUM was being used by the cybercriminals to "weaponise" popular torrent files by inserting malware through the uTorrent client. The threat actors also used a "special infrastructure" which allowed them to monitor and manage new seeds via compromised accounts "extracted from botnet logs".

InforArmor chief intelligence officer Andrew Komarov told IBTimes UK: "The bad actors search for popular torrent files, most of which are cracked/pirated OS versions along with business software. They combine the original files uploaded to torrent trackers with malware, and in some cases in advanced methods. For example, rebuilding the image of OS and placing their specific components instead of legitimate files. Any OS can be vulnerable to it, since the installation of new files is confirmed by the user, and currently their malware has a minimal AV detection rate."

RAUM distributes adware, malware and ransomware

The cyber-crooks can use RAUM via PPI (Pay-Per-Install) schemes to distribute a whole host of malicious codes, including adware, malware and ransomware. "In many instances, popular ransomware such as CryptXXX, CTB-Locker and Cerber, online-banking Trojan Dridex, password stealing spyware Pony, and others were associated with the identified RAUM instances. We have identified in excess of 1,639,000 records collected in the past few months from the infected victims with various credentials to online-services, gaming, social media, corporate resources and exfiltrated data from the uncovered network," InfoArmor researchers said in their report.

Who are the Black Team?

Komarov said the Black Team has been identified as an Eastern European cybercrime gang, which he characterised as "a fairly large syndicate that is working with popular ransomware affiliate networks such as the CryptXXX project".

He added that RAUM's code was found to be in English and noted that the underground network was primarily targeting victims in English-speaking countries.

"The geography is fairly broad, but the wording is in English, targeting those countries that are or have some fluency (US, UK, CA, Australia and some EU-based countries). Traditionally these are top countries for cybercriminals to target since they analyse social wealth and the ability of the victims to pay for ransomware decryption," Komarov said.

Komarov added that torrent files packaged with ransomware were found to be the most profitable and sought after by paying cybercriminals. "We found that payments for successful malware installations in the network were up to $40 depending on the payload," he said.

"The highest bids were for ransomware distribution packaged with torrent files since this is a standard monetization model. For example, the default price for the decryption of a victim infected with ransomware like CryptXXX is close to 1.2 BTC ($720), creating an ideal revenue sharing model that is beneficial for both sides (professional blackhats, distributing malware and the owners of the identified malicious network)."

RAUM was also behind the recent PirateBay Safe Browsing warning that was issued by Google to Chrome and Firefox users. Both Google and Firefox have since blacklisted PirateBay after discovering malicious files, which according to InfoArmor researchers, were being distributed on the site via the RAUM network.

According to Komarov, underground networks like RAUM would be ideal for cybercriminals to spread ransomware, especially to those millennials who disregard security while downloading torrent files.

He said: "Ransomware distribution through torrent trackers may become one of the key channels for the new generation [millennials] and future generations of new victims because most of them do not place much attention on the security of downloaded files and are ready to install them without any additional verification. Cybercriminals can optimise the costs of usage of exploit-kits or additional tools since. Projects like RAUM may be an "industrial" way of commercialization of such illegal activities by using automated torrent trackers that parse and repackaging them with malware."