A Potentially Unwanted Application (PUA) distribution campaign has been revealed on a number of torrent sites specifically targeting video games. Fake torrents with the names of sought-after games such as The Witcher 3 have been found, used as bait to trick you into silently installing PUAs on their computer.
Although PUAs are low risk, they are still malicious -- changing your home page, hiding shortcuts, or replace existing browser shortcuts with shortcuts to third-party browsers filled with ads.
The fake gaming torrent campaign is spreading PUA downloaders to unsuspecting torrent users by redirecting users to downloader executable files, leading to multiple PUAs being installed on computers.
A PUA is a type of software that may impact security, privacy, resource consumption, or is associated with other security risks. There are several ways that a PUA might get installed on a computer or device.
It may arrive as a freeware application or be bundled with third-party software. In many cases, user consent is required, but on some occasions a more intrusive PUA may perform a silent install that escapes attention.
In this campaign, the unwanted PUA programs are installed through a fake .torrent file download. Some of the games targeted include:
- World of Warcraft: Legion (Blizzard Entertainment)
- Assassin’s Creed Syndicate (Ubisoft)
- The Witcher 3: Wild Hunt (CD Projekt Red)
- Tom Clancy’s The Division (Ubisoft)
- Just Cause 3 (Square Enix)
- The Walking Dead: Michonne (Telltale Games)
The download process leads you to believe you are downloading a .torrent file for a game. For instance, the small file size (in bytes) indicated in the confirmation window attempts to trick you into thinking that the download is a .torrent file. An additional step provides the user with specific directions on how to proceed.
If you go ahead, a User Account Control (UAC) security dialogue requests confirmation to execute the download.
If the you approve, a redirection is initiated that ends in the download of an executable file hosted on Google Drive. Google has already identified several of the campaign's PUA downloader files as malicious.
You might notice that the downloaded file is not the expected .torrent file but is an executable file (.exe) instead. A quick check on the downloaded file's size (around 3.5 MB) can also confirm that this is more than a .torrent file.
If you approve the download and run the executable, the PUA downloader starts to execute additional PUA downloads and installations.
The PUA downloader might also check for virtual environments before silently downloading any additional PUAs. The installation of additional PUA software proceeds without any interaction and without displaying any end-user license agreement (EULA).
Symantec, who conducted the research, believes that the parties behind this campaign are attempting to fly under the radar by abusing numerous pay-per-install affiliate programs.
While this campaign only spreads PUA downloaders, the same distribution model may be used to deliver additional security risks or even malware.