Crooks use The Pirate Bay to spread PirateMatryoshka malware via reputed seeders

Pierluigi Paganini March 11, 2019

Crooks are abusing the torrent website The Pirate Bay to distribute the PirateMatryoshka malware that fuels the victim’s PC with unwanted software.

Crooks abusing torrent services to distribute malware is not a novelty, Torrent users are often exposed to serious threats such if the one recently spotted by Kaspersky Lab and dubbed by the expert PirateMatryoshka.

The PirateMatryoshka is a new piece of malware hosted by The Pirate Bay torrent tracking website, it has been estimated that it was already downloaded about 10,000 times.

“We noticed that the tracker contained malicious torrents created from dozens of different accounts, including ones registered on TBP for quite some time.” reads the post published by Kaspersky.

“Instead of the expected software, the file downloaded to the user’s computer was a Trojan, whose basic logic was implemented by SetupFactory installers. Our security solutions detect the malware as Trojan-Downloader.Win32.PirateMatryoshka.”

Once the malware was downloaded, it installs adware programs and other tools on the users’ computers making it virtually useless. The
PirateMatryoshka malware is dropped by a Trojan-downloader that has been hidden in tainted versions of legit software.


Experts noticed that the PirateMatryoshka malware is being distributed by seeders with a good reputation and that were never involved in fraudulent activities.

The attack starts with the downloader decrypting another SetupFactory installer for displaying a phishing web page that prompts users a fake login page for ThePirateBay. The compromised accounts were likely used by the attackers to spread other malicious torrents.

Before performing other actions, the PirateMatryoshka checks that it is running in the attacked system for the first time by analyzing the registry key HKEY_CURRENT_USER\Software\dSet. If the result is negative, the installer access a page to receive a link to the additional module and its decryption key.

The downloader also drops another SetupFactory installer, used to decrypt and run four PE files in sequence.

“The second and fourth of these files are downloaders for the InstallCapital and MegaDowl file partner programs(classified by us as Adware).” continues the experts.

“The other two files are autoclickers written in VisualBasic, which are required to prevent the user from canceling the installation of the additional software (in which case the cybercriminals go empty-handed). “

The PirateMatryoshka malware floods the victim computer with unwanted programs.

Indicators of Compromise are included in the report published by Kaspersky.

Be cautious when using Torrent websites and always check downloaded content for malicious code.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – PirateMatryoshka malware, Torrent)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment