{"id":12944,"date":"2019-03-07T15:58:51","date_gmt":"2019-03-07T11:58:51","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/pirate-matryoshka-malware\/12944\/"},"modified":"2019-11-15T15:22:28","modified_gmt":"2019-11-15T11:22:28","slug":"pirate-matryoshka-malware","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/pirate-matryoshka-malware\/12944\/","title":{"rendered":"Pirate Matryoshka: A nesting doll Trojan from Pirate Bay"},"content":{"rendered":"

The battle against torrents has been going on for so long that any attempt at warning about a torrent threat is bound to be met with mistrust: \u201cHere come the copyright holders with their tales of horror again!\u201d Well, not every tale is a lie.<\/p>\n

Meet Andrew. Andrew wanted to download a very important file from a torrent tracker real bad. What Andrew didn\u2019t know is that whereas he uses torrents to save money, individuals with a lower level of social responsibility use them to make a buck off Andrew. For example, they could do so by using a scheme that we recently identified on The Pirate Bay, where scammers started seeding a host of cracked software copies, replacing the original source files with malicious files of their own.<\/p>\n

How Pirate Matryoshka, the torrent malware from Pirate Bay, works<\/h2>\n

When Andrew ran the file that was slipped in by the hackers, the installer displayed a fake Pirate Bay authentication window. Our hero took that window for granted and entered his login and password, which of course went directly to the creators of the malware. Now Andrew\u2019s account is used to create new fake uploads \u2014 and that\u2019s why you cannot identify a fake by looking at the account registration date alone.<\/p>\n

\"The<\/a>

Fake authentication windows help scammers access user accounts, which are then used to create more \u201cbooby-trapped\u201d uploads<\/p><\/div>\n

However, account hijacking is not where the scammers make their money. That honor goes to partner programs, which pay for each installation of certain software on a victim\u2019s machine. So, together with the application Andrew actually needs, he gets a few extras. A lot of extras, in fact.<\/p>\n

Although the bonus software is not always malware \u2014 by our estimate, malicious apps account for only one in five \u2014 it does not make the user\u2019s life any easier. From this day on, Andrew will have to battle legions of optimization programs that obscure his screen with ads, browser toolbars that change the homepage and add their banners to every website, and even Trojans.<\/p>\n

\"Pirate<\/a>

A partner software installer has done its job<\/p><\/div>\n

Now, Andrew would have had a chance if he had run a similar file downloaded from elsewhere; the makers of partner software installers, despite being in a legal gray area, leave the user the opportunity to decline. You have to dig a little to find that option, though:<\/p>\n

\"See<\/a>

A lot of extra software comes with the application you were looking for. With Pirate Matryoshka, you cannot decline the favor<\/p><\/div>\n

But if you are looking at the Pirate Bay infection that we have christened Pirate Matryoshka, there\u2019s no way for you to skip the extras \u2014 because of certain features<\/a> of the software. Before triggering the installation process, the malware runs autoclicker modules that automatically tick every box, leaving you no chance to decline.<\/p>\n

\"\"<\/a><\/p>\n

Conclusion<\/h3>\n

If you are downloading something from torrent trackers, be prepared to encounter malware. This is especially relevant for software downloads, which inevitably contain executable files.<\/p>\n

However, it would be naive to assume that Andrew\u2019s fate will never befall you if you just stay away from torrents and cracked software. You can find a \u201cpartner installer\u201d pretty much anywhere<\/a>, so you either have to avoid all executables downloaded from the Internet or have a reliable antivirus tool at the ready. Kaspersky Plus<\/a>, for example, can detect and neutralize every component of Pirate Matryoshka and others of its kind.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

A close look at Pirate Matryoshka malware, and why even inveterate pirates should not download cracked software from torrent trackers.<\/p>\n","protected":false},"author":2506,"featured_media":12945,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1486],"tags":[542,36,2054,2055,521,2033],"class_list":{"0":"post-12944","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-adware","10":"tag-malware-2","11":"tag-partner-programs","12":"tag-pirate-bay","13":"tag-threats","14":"tag-torrents"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/pirate-matryoshka-malware\/12944\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/pirate-matryoshka-malware\/15377\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/pirate-matryoshka-malware\/6143\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/pirate-matryoshka-malware\/17317\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/pirate-matryoshka-malware\/15472\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/pirate-matryoshka-malware\/14166\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/pirate-matryoshka-malware\/17999\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/pirate-matryoshka-malware\/17014\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/pirate-matryoshka-malware\/22374\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/pirate-matryoshka-malware\/5770\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/pirate-matryoshka-malware\/25905\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/pirate-matryoshka-malware\/11495\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/pirate-matryoshka-malware\/11559\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/pirate-matryoshka-malware\/10451\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/pirate-matryoshka-malware\/18709\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/pirate-matryoshka-malware\/22753\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/pirate-matryoshka-malware\/18063\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/pirate-matryoshka-malware\/22249\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/pirate-matryoshka-malware\/22184\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/threats\/","name":"threats"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2506"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=12944"}],"version-history":[{"count":6,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12944\/revisions"}],"predecessor-version":[{"id":14494,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12944\/revisions\/14494"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/12945"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=12944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=12944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=12944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}