File-sharing site SubTorrents, which is very popular in Spain and Latin America, is silently infecting users with a Trojan, thanks to the help of the Fiesta Exploit Kit.
As soon as someone visits the website, they’re subjected to a silent redirection to the malicious payload.
Beside the illegal nature of downloading music and movies from Torrent sites in some countries, many sites that index torrents are filled with aggressive ads that trick the user into running programs and other junk that they don’t need, including malware.
“Downloading illegal torrents is dangerous business,” said Jerome Segura, senior security researcher at Malwarebytes Labs, in a blog. “On top of fake files that waste your time and bandwidth, users have to navigate through a sea of misleading ads and pop-ups.”
Given the large amounts of ads on the SubTorrents site, it would have been fair to suspect a malvertising issue. But it turns out, the site itself has been compromised and serves a well-hidden iframe.
“The author had some fun trying to make things a little more complicated,” Segura said. “Rather than directly inserting a malicious iframe to the exploit kit landing, they chose to build it on the fly by retrieving the content from an external .js.”
The attack also involved placing a cookie on the user’s machine, which the code checks for at the beginning of the attack. Segura pointed out that it’s a simple way to mark the PC as already hit and possibly infected, so that no effort is wasted to try and infect it again.
As for the payload, Segura said that it looks like the Kovter ransomware and ad fraud malware. Kovter was first discovered in 2013, and its particular ransomware variant typically targets visitors to adult and illegal websites. It locks the phone or PC and then displays a message saying the user has broken the law and will need to pay a fine to unlock the device.
To make the threat more realistic, Kovter typically scours the user’s browser history for related content and displays any on a splash screen. This team-up isn’t new: Fiesta EK has been seen pushing the Kovter malware before.
Segura added, “[Torrent] visitors may end up saving a few bucks off that latest movie but could also risk a lot more, like getting a nasty malware infection. Ransomware being so prevalent these days could mean that all of a user’s files, including those movies and songs, could be encrypted and held for ransom.”