A researcher has uncovered one of many extra uncommon finds within the annals of malware: booby-trapped recordsdata that rat out downloaders and attempt to stop unauthorized downloading sooner or later. The recordsdata can be found on websites frequented by software program pirates.
Vigilante, as SophosLabs Principal Researcher Andrew Brandt is looking the malware, will get put in when victims obtain and execute what they suppose is pirated software program or video games. Behind the scenes, the malware experiences the file title that was executed to an attacker-controlled server, together with the IP deal with of the victims’ computer systems. As a crowning glory, Vigilante tries to switch the victims’ computer systems to allow them to now not entry thepiratebay.com and as many as 1,000 different pirate websites.
Not your typical malware
“It’s really unusual to see something like this because there’s normally just one motive behind most malware: stealing stuff,” Brandt wrote on Twitter. “Whether that’s passwords, or keystrokes, or cookies, or intellectual property, or access, or even CPU cycles to mine cryptocurrency, theft is the motive. But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals.”
But not on this case. These samples actually solely did a number of issues, none of which match the everyday motive for malware criminals.
For one factor, they modify the HOSTS file on the PC so as to add entries. Plenty of entries.
They had a typical theme. pic.twitter.com/O1Z2fSXZ1n
— Accountability Brandt (@threatresearch) June 17, 2021
Once victims have executed the trojanized file, the file title and IP deal with are despatched within the type of an HTTP GET request to the attacker-controlled 1flchier[.]com, which might simply be confused with the cloud-storage supplier 1fichier (the previous is spelled with an L because the third character within the title as an alternative of an I). The malware within the recordsdata is basically similar aside from the file names it generates within the net requests.
Vigilante goes on to replace a file on the contaminated pc that forestalls it from connecting to The Pirate Bay and different Internet locations identified for use by individuals buying and selling pirated software program. Specifically, the malware updates Hosts, a file that pairs a number of area addresses to distinct IP addresses. As the picture under reveals, the malware pairs thepiratebay.com to 127.0.0.1, a special-purpose IP deal with, usually known as the localhost or loopback deal with, that computer systems use to determine their actual IP deal with to different methods.
By mapping the domains to the native host, the malware ensures that the pc can now not entry the websites. The solely solution to reverse the blocking is to edit the Hosts file to take away the entries.
Brandt discovered a few of the trojans lurking in software program packages out there on a Discord-hosted chat service. He discovered others masquerading as well-liked video games, productiveness instruments, and safety merchandise out there by means of BitTorrent.
There are different oddities. Many of the trojanized executables are digitally signed utilizing a faux code signing instrument. The signatures comprise a string of randomly generated 18-character uppercase and lowercase letters. The certificates validity started on the day the recordsdata grew to become out there and is about to run out in 2039. Additionally, the properties sheets of the executables don’t align with the file title.
When considered by means of a hex editor, the executables additionally comprise a racial epithet that’s repeated greater than 1,000 occasions adopted by a big, randomly sized block of alphabetical characters.
“Padding out the archive with purposeless files of random length may simply be done to modify the archive’s hash value,” Brandt wrote. “Padding it out with racist slurs told me all I needed to know about its creator.”
Vigilante has no persistence technique, which means it has no solution to stay put in. That means individuals who have been contaminated want solely to edit their Hosts file to be disinfected. SophosLabs supplies indicators of compromise right here.