Posted on June 20, 2021 at 11:49 AM
Sophos Researchers Detect Rare Malware that Blocks Piracy Services
SophosLabs has detected a unique malware from the other types of malware that have been discovered before. The malware does not phish for password and personal details from the affected device. Interestingly, it blocks the user’s device from accessing various websites that offer piracy services. It modifies the HOSTS file on the user’s device.
In addition, the malware downloaded and delivered a second malware payload dubbed ProcessHacker.jpg.
Preventing Websites from Reaching a Web Address
One of the most effective ways that threat actors can prevent a user from accessing a web address is by altering the HOSTS file. However, the method is shrewd because it requires malware that offers zero persistence. Any user can deduct the entries after adding the HOSTS file, and they will remain in that state.
SophosLabs did not fully identify the provenance for the malware. However, its objective is to bar people from visiting software piracy websites for a temporary duration. It also identifies the name of the pirated software the user wanted to use, sends it and launches a secondary payload.
Masquerading as Popular Games
The malware also disguises itself as a fake copy of a pirated game. According to the SophosLabs analysis, “at least some of the malware, disguised as pirated copies of a wide variety of software packages, was hosted on game chat service Discord. Other copies distributed through BitTorrent were also named after popular games, productivity tools, and even security products, accompanied by additional files … that make it appear to have originated with a well-known file-sharing account on ThePirateBay.”
As soon as the malware has been downloaded, it sends two HTTP GET requests to a domain that is now inactive. After the first request, a second payload is launched, known as ‘ProcessHacker.jpg.’ The second payload has a kill-switch that prevents malware from running on various files.
According to the SophosLabs report, the second request implements a ‘query string to send the filename of the executable that was run to the website’s operators.” This request enables the threat actors to find out the files that users were hoping to pirate. However, the analysis states that the server where the HTTP GET requests were transferred was no longer responsive and did not have a DNS record.
In addition, most of the malware executables were digitally signed using a bogus signer. This was to help it bypass checks on whether the file was signed and thus evade scrutiny. The signage name on the files contained 18 characters with upper-case letters. The validity of the certificates under each file is set to expire on December 31, 2039.
The filename of the malware has also been configured because it is not the same as what the property sheets of the malware executables have stated. The majority of the files contained properties that identified them as installation packages for licensed games, but the files contained different names in the description field. The files were named ‘BitLocker Drive Encryption’ or ‘Microsoft Office Multi-Msi ActiveDirectory Deployment Tool.’
Sophos notes that the disparity between the filenames and the property sheets did not seem to concern the malware creators.
How the Malware Works
According to the report, the process of executing the malware on the user’s device is brief. When a user double-clicks on the executable, it creates an error message that reads, “The program can’t start because MSVCR100.dll is missing from your computer. Try reinstalling the program to fix this problem.”
When the malware is executed, it runs a few things. First, it checks whether it can create an outbound network connection and connect a URI on the domain 1flchire[.]com.
Sophos has created endpoint products that identify the malware using its unique runtime packer, similar to what is used by another malware known as Qbot.
In addition, the report gives users guidelines on how they can clean up the malware from their devices if they have already been infected. To do this, the user needs to execute a copy of Notepad elevated and modify the file.
The user needs to execute the copy of Notepad elevated as an administrator and alter the file details at c:\Windows\System32\Drivers\etc\hosts. Afterwards, the user needs to take out all the lines that start with “127.0.0.1” and later reference the sites they wanted to use, such as ThePirateBay and other websites.