Rather than steal credentials or keep facts for ransom, a the latest campaign noticed by Sophos stops people today from checking out sites that offer you unlawful downloads.
The aim of most malware is some type of attain — economical or usually — for the attackers who use it. Nevertheless, researchers not long ago observed a special malware with a single intent: Blocking the infected computer systems from browsing internet websites devoted to software package piracy.
The malware (which SophosLabs principal researcher Andrew Brandt referred to as “one of the strangest instances I’ve found in a while”) operates by modifying the HOSTS file on the contaminated program, in a “a crude but productive method to avert a laptop from getting able to attain a web address,” he wrote in a report released Thursday.
The HOSTS file is an integral aspect of the Windows OS applied to map IP addresses to host names or domain names. In this way, it ostensibly functions as a area DNS service for a laptop that can override mappings from the DNS services of the network to which the computer is linked.
However, due to the fact the malware has no persistence system, any contaminated user can very easily treatment the effect it has on a local computer system by eliminating the influenced entries immediately after they’ve been extra to the HOSTS file, Brandt claimed. These files “will keep taken out,” except of course the system turns into infected with the malware a second time, he mentioned.
Brandt credited senior supervisor for danger investigate Richard Cohen for pinpointing the “oddball malware.”
“This appears to be a fresh trick on an previous attack of compromising people today attempting to download pirated software and media. In this situation even though, it seems to be an unique or team attempting to protect intellectual assets, but make no oversight, this is however evidently criminal behavior,” John Bambenek, threat intelligence advisor at Netenrich, advised Threatpost. “This reminds me of the Sony rootkit scandal a decade ago, and displays the anti-piracy groups even now have not realized that other people today have legal rights way too.”
Tricking Would-Be Software program Pirates
Attackers applied many usually means to distribute the malware in a way that it would attract the consideration of individuals who are inclined to use well-liked torrent websites to pirate computer software. One particular distribution approach was by utilizing the activity chat service Discord to host the malware — some of which was aptly disguised as pirated copies of a variety of software package offers, Brandt wrote.
Scientists observed other copies currently being distributed through Bittorrent that also were being named following well-liked pirated downloads, these types of as games, productiveness tools and even security solutions, accompanied by further files that made the malware surface to have originated with a well-regarded file-sharing account on ThePirateBay.
“The data files that seem to be hosted on Discord’s file sharing have a tendency to be lone executable documents,” Brandt wrote. “The types distributed as a result of Bittorrent have been packaged in a way that extra intently resembles how pirated application is usually shared working with that protocol: Additional to a compressed file that also incorporates a textual content file and other ancillary information, as very well as an aged-fashioned Internet Shortcut file pointing to ThePirateBay.”
If a person downloads and operates infected software package, he or she would immediately be blocked from accessing the file thanks to the “brief” conclude-user expertise that the malware delivers.
If double-clicked, the infected application triggers a “bogus error message” informing a consumer that the application just cannot start due to the fact a file, “MSVCR100.dll,” is lacking from his or her computer, Brandt wrote. It also suggests that the consumer try to reinstall the program to correct the dilemma.
The malware also checks an infected process to see irrespective of whether it can make an outbound network link and, if it can, it tries to call a URI on the domain “1flchier[.]com.”
“The domain seems to be a typosquat clone of the cloud storage supplier 1fichier, spelled with an ‘L’ as the 3rd character in the name alternatively of an ‘I’,” Brandt stated.
Secondary Malware Payload
If make contact with is manufactured with the internet site, the malware delivers a secondary payload, an executable named ProcessHacker.jpg that performs several extra functions to block the infected method from working pirated application.
In some samples noticed, just one of the options was a eliminate swap that searches for a pair of quite certain filenames in any of the locations described by the “%Route%” natural environment variable, which brings about the software to stop if it finds them the two, Brandt wrote.
ProcessHacker.jpg also modifies the HOSTS file when granted administrator privileges, which most of the samples examined by Sophos did by inquiring Windows for privilege elevation, which it granted.
Scientists could not recognize the provenance of the malware, but stated it can be detected via endpoint detections by pinpointing the runtime packer made use of with it, Mal/EncPk-APV, which coincidentally is the very same one particular employed by the unrelated Qbot malware household, Brandt wrote.
To clean up the HOSTS file manually on contaminated methods, customers can operate a copy of Notepad elevated (as administrator), and modify the file at c:WindowsSystem32Driversetchosts to eliminate all the traces that get started with “127…1” and reference the different ThePirateBay (and other) web sites, he said. A lot more details about the malware also can be uncovered on Sophos’ GitHub web page.
As ever, pirated application is usually a gateway to malware, as scientists have warned for many years.
“It’s incredibly popular that concealed inside of pirated application are undesirable functions this sort of as password stealers or concealed backdoors,” stated Joseph Carson, main security scientist and advisory CISO at ThycoticCentrify, by using email. “These allow for cybercriminals easy entry to your gadgets. Most pirated software package has been altered by criminals to support uncover methods to make money, such as marketing stolen credentials or access for malicious criminals to install ransomware, which forces you into becoming the upcoming cyber-target.”
Be part of Threatpost for “Tips and Tactics for Much better Risk Hunting” — a Stay event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Master from Palo Alto’s Device 42 specialists the greatest way to hunt down threats and how to use automation to help. Register HERE for totally free!
Some pieces of this article are sourced from: