Weird Malware Blocks Victims from Accessing Pirated Software Sites

Security researchers with Sophos recently tracked and documented one of the most unusual malware campaigns in a very long time. This weird new malware is not trying to scrape all your login information from your browser, nor is it trying to scramble your files and ask for bitcoin ransom. All that the new malware does is block the victim's system from accessing software piracy websites.

About a decade ago, Sophos once again ran into malware that has "nearly identical" in terms of functionality. The new malware is quite humble in its own abilities, but also efficient in its simplicity.

Even though it has no persistence mechanisms, the malware modifies the Windows HOSTS file which contains a local system map that can direct domain names to specific IP addresses. The malware inserts anywhere from a hundred to a thousand domains associated with piracy websites and remaps them all to point to 127.0.0.1 - the loclahost. This effectively prevents the user from accessing those domains from a browser.

There is no additional functionality that allows the malware to re-add those HOSTS file entries and if a user figures out what is going on and edits the file manually, access will be restored until they run the malware one more time.

The distribution methods outlined in the research include Discord servers that carry alleged pirated copies of software and games. Additionally, torrent websites that are commonly used to redistribute pirated software also had the same malware payload, packaged into torrent files named after very popular downloads and media that was highly sought-after.

Once the malware deploys and modifies the HOSTS file, it also attempts an outbound connection to a domain named 1flchier dor com. If the connection succeeds, an additional payload is obtained. The payload is usually called ProcessHacker.jpg and is really an executable file that performs a number of extra steps to stop the victim system from executing and accessing pirated software.

Manual cleanup of systems that have been affected by the malware is relatively easy. Opening the HOSTS file in a plain text editor and removing all the lines that redirect various domains to 127.0.0.1 and the localhost is enough to clear things up.

There is no clear evidence of this new malware being related to an established larger family. All that Sophos managed to detect was that the piracy-blocking malware was created using the same packer used in the Qbot family of malware. The two are, however, not related in any other meaningful way.

By Zaib
June 21, 2021
Computer Security
English
June 21, 2021
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Malware

Vigilante Malware Stops 'Internet Pirates' from Accessing Pirated Content

Some cybercriminals do it for the money, while others are chasing glory in the underground world of hackers. But there are also some cybercriminals whose motivations are truly surprising. The creators of the so-called... Read more

June 21, 2021
Malware

TEARDROP Malware

The TEARDROP Malware is identified as a basic Trojan Dropper, which was used by the cybercriminals behind the recent supply-chain attack linked to the SolarWinds software vendor. This campaign involved the use of a... Read more

April 26, 2021
Malware

HackBoss Malware Spread Through Telegram

A group of cybercriminals is abusing the Telegram messaging service to propagate fake software, which poses as hacking tools meant to serve a wide range of purposes. It appears that the 'mastermind' behind the... Read more

April 19, 2021
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.