Sophos researchers uncovered a malware campaign that aims at blocking infected users’ from visiting a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system.
The vigilantes distribute the vigilante malware in archives disguised as a wide variety of software packages that were advertised through the Discord chat service. In other cases, the packages were distributed directly via torrent.
The vigilantes named the pages as popular games, productivity tools, and even security products, a circumstance that suggests the campaign targets a large audience, from gamers to professionals.
The campaign involved hundreds of different software brands represented by the filenames found in a search on Virustotal for related samples. The files discovered by the researchers use names like “Left 4 Dead 2 (v184.108.40.206 Last Stand + DLCs + MULTi19)” and “Minecraft 1.5.2 Cracked [Full Installer][Online][Server List]” which were used to attract the attention of users searching for pirated software.
“The files that appear to be hosted on Discord’s file sharing tend to be lone executable files. The ones distributed through Bittorrent have been packaged in a way that more closely resembles how pirated software is typically shared using that protocol: Added to a compressed file that also contains a text file and other ancillary files, as well as an old-fashioned Internet Shortcut file pointing to ThePirateBay.” reads the analysis published by Sophos.
Upon clicking on the executable, a message pop-up is displayed to the victim to inform them that a .DLL file is missing from their computer.
In the background, the malware fetches the next stage payload, named ProcessHacker.jpg, from an external domain. The malicious code modifies the HOSTS file on the target machine in a way to block a few hundred to over 1,000 websites, most of which provide piracy-related content.
Experts noticed that in some cases the malware was not able to modify the HOSTS file due to the lack of required privileges.
The good news is that victims of this malware can simply remove the entries from their HOSTS files in order to be able to visit again the blocked websites.
“Users who have inadvertently run one of these files can clean up their HOSTS file manually, by running a copy of Notepad elevated (as administrator), and modifying the file at c:\Windows\System32\Drivers\etc\hosts to remove all the lines that begin with “127.0.0.1” and reference the various ThePirateBay (and other) sites.” concludes the report.
(SecurityAffairs – hacking, vigilante malware)