A unique malware campaign has been recently detected by Sophos where it targets users of pirated software.

Sophos research on unique malware campaign:

In what seems as vigilante malware, Sophos has found that the unique malware is architectured to block access to the websites that host pirated software.

According to Sophos, the malware masks itself as a cracked version of popular online games such as Minecraft or Among Us or other productivity applications and tools like Microsoft Office, security software, etc.

Subsequently, the malware is distributed using BitTorrent from an account hosted on ThePirateBay. The links to it are also hosted on Discord.

Once the malware manages to install, it blocks access to a rather lengthy list of websites, including several that distribute pirated software.

Also read,

Fake DarkSide Ransomware Targets Food And Energy Sectors

Sophos singular observations of the supposed vigilante malware:

Certain peculiar aspects or observations of the malware campaign that were found are:

  • The attackers are using an old approach of modifying the HOSTS file settings on an infected device to localhost a long list of websites, blocking the users access to them. This approach is fairly easy to reverse, and Sophos researchers are unsure why the attackers used it.
  • Some, of the many hundreds of sites that are being localhosted by the malware, are unrelated to pirated software and some were shut down or became inactive in or around 2012/2013.
  • The malicious files are compiled for 64-bit Windows 10 and then signed with false digital certificates that wouldn’t pass more than a rudimentary check.
  • Once downloaded and installed by a user, the malware searches for files named 7686789678967896789678 and 412412512512512. If it finds them, it stops any further launch of the attack. Sophos believes this could be designed to prevent the malware operators from infecting their own computers while they work on the malicious code.
  • The malware also triggers a fake error message to appear when it runs, which asks people to reinstall the software. Sophos says this could be to dispel suspicion among users who question why the download they received didn’t contain the installers they were expecting.

What is the purpose?:

Security experts from Sophos are of the opinion that, unlike a typical malware campaign that tends to compromise victims and aims to extort money or profit off of it, this malware campaign is engaging in some sort of crudely-compiled anti-piracy vigilante operation.

“The attacker’s vast potential target audience from gamers to business professionals, combined with the curious mix of dated and new tools, techniques, and procedures, and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky,” states Sophos security researcher, Andrew Brandt. 

He also provided that there may not even be an overall aim to this attack. However, that doesn’t reduce the level of risk or the potential disruption for victims.