Cybersecurity researchers have found an interesting piece of malware that, instead of stealing passwords or to extort a computers owner for ransom, blocks infected users computers from being able to visit a large number of websites dedicated to software piracy. However, the malware appears murky.
Researchers at Sophos, a global leader in next-generation cybersecurity, have detailed a curious cyberattack campaign that targets users of pirated software with malware designed to block access to websites hosting pirated software. The developers disguise the malware as cracked versions of popular online games such as Minecraft and Among Us, as well as productivity tool such as Microsoft Office, security software and others.
The disguised malware is distributed via the BitTorrent platform from an account hosted on ‘ThePirateBay’ digital file sharing website. “Links to the malware are also hosted on Discord. Once installed, the malware blocks the victim’s access to a long list of websites, including many that distribute pirated software,” the researchers said in a blog post. The researchers were not able to discern a provenance for this malware. “But its motivation seemed pretty clear. It prevents people from visiting software piracy websites (if only temporarily), and sends the name of the pirated software the user was hoping to use to a website, which also delivers a secondary payload,” they explained.
Andrew Brandt, principal threat researcher, Sophos says, “Sometimes it is easy to see clearly what an adversary’s end game is and why they have chosen a particular approach to achieve it. This is not one of those times”. On the face of it, the adversary’s targets and tools suggest this could be some kind of anti-piracy vigilante operation. “However, the attacker’s vast potential target audience from gamers to business professionals make the ultimate purpose of this operation a bit murky,” Brandt cautioned.
At least some of the malware, disguised as pirated copies of a wide variety of software packages, was hosted on game chat service Discord. Other copies, distributed through Bittorrent, were also named after popular games, productivity tools, and even security products, accompanied by additional files that make it appear to have originated with a well-known file sharing account on ThePirateBay.
In this malware case, the attackers use an age-old approach of modifying the HOSTS file settings on an infected devi’e to ‘localhost” a long list of websites, thereby blocking the user’s access to them. The malicious files are compiled for 64-bit Windows 10 and then signed with bogus digital certificates that wouldn’t pass more than a very rudimentary check. “Once downloaded and installed by a user, the malware hunts for files named 7686789678967896789678 and 412412512512512. If it finds them it stops any further launch of the attack,” said Sophos researchers. The malware also triggers a fake error message to appear when it runs, which asks people to re-install the software, they added.