A strain of malware with odd intentions when it comes to piracy and the moral compass of its victims has been detected in the wild.
On Thursday, Sophos researchers said they had uncovered a malware campaign that doesn't follow typical behavioral patterns: infiltrate a system, steal information, conduct banking fraud, and so on -- instead, the malware "blocks infected users' from being able to visit a large number of websites dedicated to software piracy."
The means of distribution varies: some samples were buried in archives disguised as software packages promoted through the Discord chat service, whereas others are distributed directly via torrent.
The creator has used the names of numerous software brands, games, productivity tools, and cybersecurity solutions to hide the malware, according to principal researcher Andrew Brandt, and so appears to be targeting everyone from gamers to professionals who might not want to purchase a software license.
The malicious packages are named in common formats used when distributing pirated software, such as "Minecraft 1.5.2 Cracked [Full Installer][Online][Server List]." Files are tagged to appear as uploads from The Pirate Bay.
"The files that appear to be hosted on Discord's file-sharing tend to be lone executable files," Brandt says. "The ones distributed through Bittorrent have been packaged in a way that more closely resembles how pirated software is typically shared using that protocol: added to a compressed file that also contains a text file and other ancillary files, as well as an old fashioned Internet Shortcut file."
If the malware's executable is double-clicked, a message pop-up appears which claims the victim's system is missing a crucial .DLL file. In the background, the malware is fetching a secondary payload, dubbed ProcessHacker, from an external website. This payload is responsible for modifying the HOSTS file on the target machine.
The malware's piracy website blocking process is rudimentary, as it simply adds a list of between a few hundred to over 1,000 web domains and points them to a localhost address. Oddly, some websites that are on the block list have nothing to do with piracy.
However, on modern machines, privileges may be required to modify the HOSTS file and not every sample triggered Windows systems to escalate the malware's privileges. When this escalation didn't occur, the HOSTS file modification failed.
"Modifying the HOSTS file is a crude but effective method to prevent a computer from being able to reach a web address," Sophos says. "It's crude because, while it works, the malware has no persistence mechanism. Anyone can remove the entries after they've been added to the HOSTS file."
In some of the malware packages, the operator added files bundled with the installer, likely to improve its look of legitimacy as a pirate software package. Most of these files are junk code and garbage images, although a common .nfo file contained racist slurs.
"On the face of it, the adversary's targets and tools suggest this could be some kind of crudely-compiled anti-piracy vigilante operation," Brandt commented. "However, the attacker's vast potential target audience -- from gamers to business professionals -- combined with the curious mix of dated and new tools, TTPs, and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky."
While the malware is crude and doesn't have a major impact on users -- unless they are fans of cracked software or pirate content -- if the HOSTS file has been modified, Sophos says it can be cleaned up by running Notepad as an administrator, opening up c:\Windows\System32\Drivers \etc\hosts, and removing references.
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0