A Malware campaign has been uncovered that aims at blocking infected users’ from visiting a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system.
The vigilantes distribute the vigilante malware in archives disguised as a wide variety of software packages that were advertised through the Discord chat service and torrents. Campaign mostly targets gamers and professionals
The files discovered by the researchers use names like “Left 4 Dead 2 (v184.108.40.206 Last Stand + DLCs + MULTi19)” and “Minecraft 1.5.2 Cracked [Full Installer][Online][Server List]” which were used to attract the attention of users searching for pirated software.
The files that appear to be hosted on Discord’s file sharing tend to be lone executable files. The ones distributed through BitTorrent have been packaged in a way that more closely resembles how pirated software is typically shared using that protocol.Upon clicking on the executable, a message pop-up is displayed to the victim to inform them that a .DLL file is missing from their computer.
The malware fetches the next stage payload, named ProcessHacker.jpg, from an external domain. The malicious code modifies the HOSTS file on the target machine in a way to block a few hundred to over 1,000 websites, most of which provide piracy-related content.
“Users who have inadvertently run one of these files can clean up their HOSTS file manually, by running a copy of Notepad elevated (as administrator), and modifying the file at c:\Windows\System32\Drivers\etc\hosts to remove all the lines that begin with “127.0.0.1” and reference the various ThePirateBay ” in some cases host file not able to be modified by the malware due to adminstrator issue.