<— Back

RATs in the sewers: diving into the BitTorrent cesspool

From APT attacks to lowly cybercrime, the BitTorrent protocol is often used as a method to gain illegally obtained files and, as such, is the perfect gateway to content-wanting victims. BitTorrent websites have long been used as the primary distribution vector of XtremeRAT and Filesponger stealer but was also misused in 2022 when Mandiant reported a supply-chain attack targeting the Ukrainian government, where a modified Windows 10 installer was distributed via a local torrent-sharing site. To detect such bad actors at the source, ideally before they compromise users, we researched and developed Torrent Crawler, a project to scan and monitor suspicious BitTorrent sites to better understand this popular P2P protocol as a compromise vector, and to discover new malware.

In this presentation, we study one of the cases we discovered using our crawler: a cluster of 20+ remote access trojans (RATs) stemming from the common AsyncRAT codebase, including the well-known forks like DCRat and VenomRAT but also previously unknown variants developed by various malware authors. We dissect the unique monetization plugins used by these variants but also look at the connections between the various malware developers and provide insights into how their RATs are sold in this competitive low-cost RAT segment.

As for Torrent Crawler, we show specific interesting problems of monitoring the sites – like establishing a system that does not help with illegal torrent propagation – along with statistics, a landscape overview, and some tips if you decide to tackle a similar project. For a start, we are scanning over half a dozen carefully selected torrent websites, including some of the biggest. We will share our insights into malicious actors we have found as well as tactics and techniques encountered.