Fake gaming torrents lead to potentially unwanted applications

[Petrovic]

PUA downloaders are disguising themselves as torrents for pirated copies of Assassin’s Creed Syndicate and The Witcher 3 to install multiple different PUAs on users’ computers.

 

The availability of pirated content on torrent sites can come with hidden repercussions. Symantec research of popular torrent websites has observed a potentially unwanted application (PUA) distribution campaign. On several sites, we found fake torrents with the names of popular games, such as Assassin’s Creed Syndicate or The Witcher 3, which were used as bait to trick users into silently installing PUAs on their computer. Symantec believes this PUA distribution campaign abuses legitimate affiliate pay-per-install programs.

 

Potentially unwanted applications
A PUA is a type of software that may impact security, privacy, resource consumption, or is associated with other security risks. There are several ways that a PUA might get installed on a computer or device. It may arrive as a freeware application or be bundled with third-party software. In many cases, user consent is required, but on some occasions a more intrusive PUA may perform a silent install that escapes attention.

 

PUA downloader campaign using fake gaming torrents
In this campaign, users install unwanted PUA programs through a fake .torrent file download. The following are examples of popular games being used to lure gamers to download the torrent files:

• World of Warcraft: Legion (Blizzard Entertainment)
• Assassin’s Creed Syndicate (Ubisoft)
• The Witcher 3: Wild Hunt (CD Projekt)
• Tom Clancy’s The Division (Ubisoft)
• Just Cause 3 (Square Enix)
• The Walking Dead: Michonne (Telltale Games)

The download process leads users to believe they are downloading a .torrent file for a game. For instance, the small file size (in bytes) indicated in the confirmation window attempts to trick the user into thinking that the download is a .torrent file. An additional step provides the user with specific directions on how to proceed.

Figure 1. Overlay window with download instructions

 

If the user proceeds, a User Account Control (UAC) security dialogue requests user confirmation to execute the download.

Figure 2. File execution triggers UAC security prompt

 

If the user approves, a redirection is initiated that ends in the download of an executable file hosted on Google Drive. Google has already identified several of the campaign’s PUA downloader files as malicious.

Figure 3. Google Drive identifies PUA downloader as malicious

 

The user may notice that the downloaded file is not the expected .torrent file but is an executable file (.exe) instead. A quick check on the downloaded file’s size (around 3.5 MB) may also confirm that this is more than a .torrent file.

Figure 4. Windows File Download dialogue box identifies the file as .exe, not .torrent

 

If the user approves the download and runs the executable, the PUA downloader starts to execute additional PUA downloads and installations. Symantec detects the PUA downloader samples with our PUA.ICLoader!g3 detection.

 

The PUA downloader may initiate POST requests to the following remote locations hosting adware:

• 188.42.244.143
• 188.42.244.207
• apibiggo.ru
• apifastmake.ru
• apifastrun.ru
• apiitheynow.ru
• apiquicklygo.ru
• apirapidlygo.ru
• lolappiifastr.ru
• lappiifaster.ru

The PUA downloader may also check for virtual environments before silently downloading any additional PUAs. The installation of additional PUA software proceeds without any user interaction and without displaying any end-user license agreement (EULA). Symantec analysis shows the installed PUA programs may change the browser default home page, hide certain browser shortcuts, or replace existing browser shortcuts with shortcuts to third-party browsers containing advertisements.

 

Conclusion
The fake gaming torrent campaign discussed in this blog is spreading PUA downloaders to unsuspecting torrent users by redirecting users to downloader executable files, leading to multiple PUAs being installed on computers. Symantec believes that the parties behind this campaign are attempting to fly under the radar by abusing numerous pay-per-install affiliate programs. While this campaign only spreads PUA downloaders, the same distribution model may be used to deliver additional security risks or even malware.

 

Mitigation
Users should adhere to the following advice if they wish to avoid being affected by this campaign:

• Avoid downloading pirated content from torrent sites. Attackers often use these sites, along with the names of popular movies, TV shows, and games, to spread security risks and malware.
• Always keep your security software up to date to protect yourself against against security risks
• Pay attention to the security windows that may appear when opening a file. In this campaign, one of the computer’s pop-up windows identifies the fake .torrent file as an .exe, a sure sign that the file is not what it claims to be.

Article source

 

 

[Holmes]

You can easily remove potentially unwanted applications.  I dont trust any torrent that doesnt have user comments in it.  I have taken a chance on some in the past and I wont do that now.  I download a torrent if it has user comments a thumbs up and a thumbs down wont work as malware authors could upload fake torrents and have multiple users press the like button they can have multiple users post comments that unlikely as it takes additional time to post a comment and have it look sincere to.

[steven36]

This sort reminds me of when Watch Dogs  came out on p2p  ant it hat the bit coin miner in it 1000s of people installed it it only takes 1 bad actor. And one of the reasons public P2P never was that  popular before they started killing off filelockers in 2012 it was easy to get infected downloading stuff trough p2p it's just history repeating itself . It was much safer to download stuff from some who had sources for stuff from the scene that didn't come off no p2p . I'm still no fan of p2p because i had a bad experience with it once and only use it as a last resort .