The objective of most malware is some kind of gain — financial or otherwise — for the attackers who use it. However, researchers recently observed a unique malware with a single intent: Blocking the infected computers from visiting websites dedicated to software piracy.
The malware (which SophosLabs principal researcher Andrew Brandt called “one of the strangest cases I’ve seen in a while”) works by modifying the HOSTS file on the infected system, in a “a crude but effective method to prevent a computer from being able to reach a web address,” he wrote in a report published Thursday.
The HOSTS file is an integral part of the Windows OS used to map IP addresses to host names or domain names. In this way, it ostensibly acts as a local DNS service for a computer that can override mappings from the DNS service of the network to which the computer is connected.
However, because the malware has no persistence mechanism, any infected user can easily remedy the effect it has on a local computer by removing the affected entries after they’ve been added to the HOSTS file, Brandt said. These files “will stay removed,” unless of course the system becomes infected with the malware a second time, he said.
Brandt credited senior manager for threat research Richard Cohen for identifying the “oddball malware.”
“This seems to be a fresh trick on an old attack of compromising people attempting to download pirated software and media. In this case though, it seems to be an individual or group trying to protect intellectual property, but make no mistake, this is still clearly criminal behavior,” John Bambenek, threat intelligence advisor at Netenrich, told Threatpost. “This reminds me of the Sony rootkit scandal a decade ago, and shows the anti-piracy groups still haven’t learned that other people have rights too.”
Tricking Would-Be Software Pirates
Attackers used various means to distribute the malware in a way that it would attract the attention of people who tend to use popular torrent sites to pirate software. One distribution method was by using the game chat service Discord to host the malware — some of which was aptly disguised as pirated copies of various software packages, Brandt wrote.
Researchers observed other copies being distributed through Bittorrent that also were named after popular pirated downloads, such as games, productivity tools and even security products, accompanied by additional files that made the malware appear to have originated with a well-known file-sharing account on ThePirateBay.
“The files that appear to be hosted on Discord’s file sharing tend to be lone executable files,” Brandt wrote. “The ones distributed through Bittorrent have been packaged in a way that more closely resembles how pirated software is typically shared using that protocol: Added to a compressed file that also contains a text file and other ancillary files, as well as an old-fashioned Internet Shortcut file pointing to ThePirateBay.”
If a person downloads and runs infected software, he or she would immediately be blocked from accessing the file thanks to the “brief” end-user experience that the malware delivers.
If double-clicked, the infected software triggers a “bogus error message” informing a user that the program can’t start because a file, “MSVCR100.dll,” is missing from his or her computer, Brandt wrote. It also suggests that the user try to reinstall the program to fix the problem.
The malware also checks an infected system to see whether it can make an outbound network connection and, if it can, it attempts to contact a URI on the domain “1flchier[.]com.”
“The domain appears to be a typosquat clone of the cloud storage provider 1fichier, spelled with an ‘L’ as the third character in the name instead of an ‘I’,” Brandt explained.
Secondary Malware Payload
If contact is made with the website, the malware delivers a secondary payload, an executable named ProcessHacker.jpg that performs several more functions to block the infected system from running pirated software.
In some samples observed, one of the features was a kill switch that searches for a couple of very specific filenames in any of the locations defined by the “%PATH%” environment variable, which causes the software to quit if it finds them both, Brandt wrote.
ProcessHacker.jpg also modifies the HOSTS file when granted administrator privileges, which most of the samples examined by Sophos did by asking Windows for privilege elevation, which it granted.
Researchers could not identify the provenance of the malware, but said it can be detected through endpoint detections by identifying the runtime packer used with it, Mal/EncPk-APV, which coincidentally is the same one used by the unrelated Qbot malware family, Brandt wrote.
To clean up the HOSTS file manually on infected systems, users can run a copy of Notepad elevated (as administrator), and modify the file at c:\Windows\System32\Drivers\etc\hosts to remove all the lines that begin with “127.0.0.1” and reference the various ThePirateBay (and other) sites, he said. More information about the malware also can be found on Sophos’ GitHub page.
As ever, pirated software is often a gateway to malware, as researchers have warned for decades.
“It’s very common that hidden within pirated software are unwanted features such as password stealers or hidden backdoors,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, via email. “These allow cybercriminals easy access to your devices. Most pirated software has been altered by criminals to help find ways to make money, such as selling stolen credentials or access for malicious criminals to install ransomware, which forces you into becoming the next cyber-victim.”
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!