Researchers have admitted they’re baffled by a new piece of malware primarily designed to prevent victims from visiting software piracy sites.
Sophos principal researcher, Andrew Brandt, branded the discovery “one of the strangest cases I’ve seen in a while.”
It’s hidden in pirated copies of various software, including security products, and distributed on game chat service Discord and through Bittorent. Once double-clicked, it works by flashing up a bogus error message on the victim’s screen while executing.
The malware apparently blocks infected users from visiting a large number of piracy sites by modifying the HOSTS file on their systems. Brandt described this as a “crude but effective” strategy — crude because although it works, the malware has no persistence mechanism.
This means that anyone can remove the HOSTS file entries and stay removed unless the program is run a second time. Bizarrely, Brandt claimed to have discovered a malware family that behaved almost identically more than a decade ago.
The malware also downloads and executes a second payload, an executable named “ProcessHacker.jpg.”
It’s detected by Sophos as Mal/EncPk-APV.
Brandt said that the malware developer’s end game is still a mystery.
“On the face of it, the adversary’s targets and tools suggest this could be some kind of crudely compiled anti-piracy vigilante operation. However, the attacker’s vast potential target audience — from gamers to business professionals — combined with the curious mix of dated and new tools, techniques and procedures (TTPs) and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky,” he added.
“There may not even be an overall purpose to this attack at all. However, that doesn’t reduce the level of risk or the potential disruption for victims.”
Brandt urged users to install a robust security solution to spot such threats and avoid downloading pirated or “too good to be true” software.