After luring people to download ‘cracked’ versions of games and productivity software, the malware blocks access to pirate-software sites.

In a curious case of vigilante malware, cyber attackers have been detected blocking access to websites hosting pirated software.

The attackers disguise the malware as cracked versions of popular online games such as Minecraft and Among Us, as well as productivity tools such as Microsoft Office, security software and others.

The disguised malware is distributed via the BitTorrent platform from an account hosted on the ‘ThePirateBay’ website. Links to the malware are also hosted on Discord. Once installed, the malware blocks the victim’s access to a long list of websites, including many that distribute pirated software.

Puzzling mix of features
According to the cybersecurity solutions firm that announced this—Sophos—several unusual aspects of this campaign include:

  • The use of an age-old approach of modifying the HOSTS file settings on an infected device to block the user’s access to a long list of websites them. This approach is fairly easy to reverse and researchers are unsure why the attackers used it.
  • Some of the many hundreds of sites that are being ‘localhosted’ by the malware are unrelated to pirated software and some have already been shut down or inactive in or around 2012/2013.
  • The malicious files are compiled for 64-bit Windows 10 and then signed with bogus digital certificates that would not pass more than a very rudimentary check.
  • Once downloaded and installed by a user, the malware hunts for files named 7686789678967896789678 and 412412512512512. If it finds them it stops any further launch of the attack. Sophos researchers believe this could be designed to prevent the malware operators from infecting their own computers while they work on the malicious code.
  • The malware also triggers a fake error message to appear when it runs, which asks people to re-install the software. Sophos researchers believe this could be to allay suspicion among users who wonder why the program they received did not contain the installers they were expecting.

Said Andrew Brandt, Principal Threat Researcher: “Sometimes it is easy to see clearly what an adversary’s end game is and why they have chosen a particular approach to achieve it. This is not one of those times. On the face of it, the adversary’s targets and tools suggest this could be some kind of crudely-compiled anti-piracy vigilante operation. However, the attacker’svast potential target audience—from gamers to business professionals—combined with the curious mix of dated and new tools, techniques and procedures, and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky.”

Brandt suspects that there may not even be an overall purpose to this attack at all. However, that does not reduce the level of risk or the potential disruption for victims: “Install a robust security solution that will spot such scams before they reach you, and avoid downloading pirated software or anything offering you too-good-to-be true ‘legitimate’ software.”