Pirated Software Blocked By Novel Malware
The objective of most malware is some kind of gain for the hackers who use it. Researchers recently observed malware with a different take. Rather than steal credentials or hold data for ransom, a recent campaign discovered by Sophos prevents people from visiting sites that contain illegal downloads. The malware works by modifying the HOSTS file on the infected system, in a a crude but effective method to prevent a computer from being able to reach a web address. The HOSTS file is an integral part of the Windows OS used to map IP addresses to host names or domain names. It acts like a local DNS service for a computer that can override mappings from the DNS service of the network to which the computer is connected.
Because the malware doesn’t persist, any infected user can easily fix it by removing the affected entries after they’ve been added to the HOSTS file. Hackers uses various means to distribute malware in a way that would attract the attention of people who tend to use popular torrent sites to pirate software. One distribution method was by using the game chat service Discord to host the malware, some of which were disguised as pirated copies of various software packages. Researchers also observed the malware being distributed through Bittorrent with filenames that appear to have originated with a well-known file-sharing account on ThePirateBay.
If a person downloads and runs the infected software, the system would immediately be blocked from accessing the file. The infected software triggers a fake error message informing the user that the program can’t start because a file, “MSVCR100.dll,” is missing on the computer. The malware also checks an infected system to see whether it can make an outbound network connection and, if it can, it attempts to contact a URI on the domain 1flchier[.]com. When it connects to the domain, the malware delivers a secondary payload, an executable named ProcessHacker.jpg that performs several functions to block the infected system from running pirated software.
In some cases that were observed, there was a kill switch that searches for a couple of specific filenames in any of the locations defined by the “%PATH%” environment variable, which causes the software to quit if it finds them both. ProcessHacker.jpg also modifies the HOSTS file when granted administrator privileges. Researchers could not identify the hackers behind the malware, but said it can be detected through endpoint detections by identifying the runtime packer used with it, Mal/EncPk-APV, which is the same one used by the unrelated Qbot malware family.
To clean up the HOSTS file manually on infected systems, run Notepad as administrator, and modify the file at c:WindowsSystem32Driversetchosts to remove all the lines that begin with “127.0.0.1” and reference the various ThePirateBay and other sites.
Pirated software is often a gateway to malware, as researchers have warned for decades. It’s very common that pirated software can contain unwanted features such as password stealers or hidden backdoors. These give hackers easy access to devices. Most pirated software has been altered by hackers to help find ways to make money, such as selling stolen credentials or access for malicious criminals to install ransomware, which forces you into becoming the next victim.