PirateMatryoshka Trojan

PirateMatryoshka is a new trojan that has been discovered and this will attempt to phish users and install potentially unwanted programs if unsuccessful.

The trojan is called PirateMatryoshka after the classic Russian stacking doll due to its “seemingly endless stack of functionality”.

It is delivered through disguised torrent files hosted on illegitimate sharing websites. Unlike other malware distributed in this manner, PirateMatryoshka uses established sharers’ files to propagate, increasing the likelihood they are downloaded by other users. When a user attempts to open a spoofed file, PirateMatryoshka will display a fake login window prompting the user to enter their sharing site credentials. It will then use these to create new seed files to propagate to other users.

If no credentials are entered, PirateMatryoshka will instead deploy several additional payloads, using an auto-clicking function to dismiss any warning prompts before the user can see them. At the time of publication, the majority of payloads observed have been adware and click-fraud related, such as pBot, although a significant minority have been more serious malware.

Kaspersky said that compromised accounts were most likely used by the cybercrims to spread more malicious torrents.

Further details – https://securelist.com/piratebay-malware/89740/

IOCs

66860309953dc7cd7faee88ec90a81f6
7576b8677975261fbb1e799d0231ec01
64dc8f3197607dbf652b985edb99ad4e
035cff7c52460a69f77a0a09db05a6f7
a85f90f07dd9e8aab51c65d8287ec6be
a857ae5cb87b23359ed70b8177aa44d3
45d4df9b38a8f8da385714f32415cd34

Phishing domain

www.mobilekey[.]pw