The availability of pirated content on torrent sites can come with hidden repercussions. Symantec research of popular torrent websites has observed a potentially unwanted application (PUA) distribution campaign. On several sites, we found fake torrents with the names of popular games, such as Assassin’s Creed Syndicate or The Witcher 3, which were used as bait to trick users into silently installing PUAs on their computer. Symantec believes this PUA distribution campaign abuses legitimate affiliate pay-per-install programs.
Potentially unwanted applications
A PUA is a type of software that may impact security, privacy, resource consumption, or is associated with other security risks. There are several ways that a PUA might get installed on a computer or device. It may arrive as a freeware application or be bundled with third-party software. In many cases, user consent is required, but on some occasions a more intrusive PUA may perform a silent install that escapes attention.
PUA downloader campaign using fake gaming torrents
In this campaign, users install unwanted PUA programs through a fake .torrent file download. The following are examples of popular games being used to lure gamers to download the torrent files:
- World of Warcraft: Legion (Blizzard Entertainment)
- Assassin’s Creed Syndicate (Ubisoft)
- The Witcher 3: Wild Hunt (CD Projekt)
- Tom Clancy’s The Division (Ubisoft)
- Just Cause 3 (Square Enix)
- The Walking Dead: Michonne (Telltale Games)
The download process leads users to believe they are downloading a .torrent file for a game. For instance, the small file size (in bytes) indicated in the confirmation window attempts to trick the user into thinking that the download is a .torrent file. An additional step provides the user with specific directions on how to proceed.
Figure 1. Overlay window with download instructions
If the user proceeds, a User Account Control (UAC) security dialogue requests user confirmation to execute the download.
Figure 2. File execution triggers UAC security prompt
If the user approves, a redirection is initiated that ends in the download of an executable file hosted on Google Drive. Google has already identified several of the campaign’s PUA downloader files as malicious.
Figure 3. Google Drive identifies PUA downloader as malicious
The user may notice that the downloaded file is not the expected .torrent file but is an executable file (.exe) instead. A quick check on the downloaded file’s size (around 3.5 MB) may also confirm that this is more than a .torrent file.
Figure 4. Windows File Download dialogue box identifies the file as .exe, not .torrent
If the user approves the download and runs the executable, the PUA downloader starts to execute additional PUA downloads and installations. Symantec detects the PUA downloader samples with our PUA.ICLoader!g3 detection.
The PUA downloader may initiate POST requests to the following remote locations hosting adware:
The PUA downloader may also check for virtual environments before silently downloading any additional PUAs. The installation of additional PUA software proceeds without any user interaction and without displaying any end-user license agreement (EULA). Symantec analysis shows the installed PUA programs may change the browser default home page, hide certain browser shortcuts, or replace existing browser shortcuts with shortcuts to third-party browsers containing advertisements.
The fake gaming torrent campaign discussed in this blog is spreading PUA downloaders to unsuspecting torrent users by redirecting users to downloader executable files, leading to multiple PUAs being installed on computers. Symantec believes that the parties behind this campaign are attempting to fly under the radar by abusing numerous pay-per-install affiliate programs. While this campaign only spreads PUA downloaders, the same distribution model may be used to deliver additional security risks or even malware.
Users should adhere to the following advice if they wish to avoid being affected by this campaign:
- Avoid downloading pirated content from torrent sites. Attackers often use these sites, along with the names of popular movies, TV shows, and games, to spread security risks and malware.
- Always keep your security software up to date to protect yourself against against security risks
- Pay attention to the security windows that may appear when opening a file. In this campaign, one of the computer’s pop-up windows identifies the fake .torrent file as an .exe, a sure sign that the file is not what it claims to be.
Symantec and Norton products detect the PUA downloaders related to this campaign with the following detections:
Intrusion prevention system