In the quest for the right software, users often visit websites and torrent trackers that seem safe, download programs, install, and use them. But are these programs really safe? With pirated software, one can “catch” threats of any level: from miners to complex rootkits. The problem of spreading malware through pirated software is not new and has a global scale today. Let’s discuss it through the example of a specific attack investigation.
Unveiling the Threat
In August 2023, our SOC detected anomalous network activity using MaxPatrol SIEM. The incident response team (PT CSIRT) was involved. As a result of processing the incident, it was established that a user from company X was compromised by relatively simple but previously unknown malware. During the investigation, no traces of phishing, external perimeter hacking, or other techniques were found—the user had merely installed a program downloaded via torrent.
The malware behaved quite noisily: collecting information about the victim’s computer, installing RMS (remote management software) and the XMRig miner, archiving the contents of the user’s Telegram folder (tdata)—and these are just the most destructive actions. The malware sent the collected information to a Telegram bot, which acted as a control server.
As a result of a detailed study of the malware, the infection chain, and the Telegram bot, our team managed to identify a large number of victims worldwide and determine the likely author of the malware, which we named autoit stealer.
Victims Around the Globe
We recorded over 250,000 infected devices in 164 countries. The majority (over 200,000) are in Russia, Ukraine, Belarus, and Uzbekistan. The top 10 countries also include India, the Philippines, Brazil, Poland, and Germany.
Most victims are non-corporate users who download pirated software from websites to their home computers. However, among the victims, we found government agencies, educational institutions, oil and gas companies, medical institutions, construction and mining companies, retail, IT, and others. All identified companies received appropriate notifications.
Infection Chain
The malware reaches the user’s machine through a torrent client; the torrent file is downloaded from the site topsoft[.]space. The site topsoft[.]space was re-registered in October 2022 with a Ukrainian registrar.
After downloading the torrent, the infected installer of the program that the user wanted to get ends up on the victim’s computer. In addition to the legitimate program, the installer also contains a malicious component, which consists of many separate programs, mostly compiled AutoIt scripts, additionally covered with the Themida packer. The implementation of the malware does not look complicated; it is made somewhat “by the book” and uses simple attack implementation tactics. The infection chain performs the following actions:
- Environment check: The malware terminates if any of the following conditions are true:
- The username matches one of the following: Peter Wilson, Acme, BOBSPC, Johnson, John, John Doe, Rivest, mw, me, sys, Apiary, STRAZNJICA.GRUBUTT, Phil, Customer, shimamu.
- The computer name matches one of the following: RALPHS-PC, ABC-WIN7, man-PC, luser-PC, Klone-PC, tpt-PC, BOBSPC, WillCarter-PC, PETER-PC, David-PC, ART-PC, TOM-PC.
- Files with the following names are present on the current user’s desktop: secret.txt, report.odt, report.rtf, Incidents.pptx.
- The current OS is Windows XP.
- System preparation: The malware disables the display of files with both “hidden” and “system” attributes (the value 0 is set for the key HKEY_CU).
