In one of the stranger cases of malware to date, Andrew Brandt of Sophos detailed a malware campaign with the sole purpose of preventing the victim from accessing sites used for software piracy. To do so, the malware modifies the HOSTS file which can be used to manually set an IP address for a given host name like example.com. One use this file has seen over the years is to add entries for domain names to point them to 127.0.0.1 (also known as localhost). That blocks access to those domains, which is exactly what this malware is doing. Brandt goes on to say that hundreds to thousands of domains are added to the HOSTS file when the malware is executed in the sample he looked at. To spread, the malware was disguised in various ways through different platforms such as popular video games and security software through Discord. It could also be found on popular torrent sites, packaged to look similar to other cracked software releases complete with READMEs and internet shortcut files. While the true purpose of this campaign has not been determined, the malware also had one more surprise. Before doing anything, the malware rats out the victim by sending the name of the pirated software to a website which then downloads a secondary payload responsible for the HOSTS file modification.
Analyst Notes
Binary Defense does not support software piracy and recommends against downloading unofficial copies of software. Unfortunately, software piracy is not uncommon to see in an enterprise environment. Hiding malicious behavior inside of “cracked” applications is a common tactic, and if the software functions as intended, the victim is likely to never find out. If a particular application would be useful for your job function, consider speaking with management or someone with purchasing power about why it may be useful or assist with a job function so that there is a safe, legal copy available to use. Software that costs $20 is often considered just a drop in the bucket and isn’t worth risking an infection which could spread across the enterprise.
Vigilante malware rats out software pirates while blocking ThePirateBay
