A new Batman is willing the streets into order, but only people who download pirated apps, games, and software, frequent these virtual destinations. A new malware, dubbed ‘Vigilante’, has set out on a digital crusade against pirating websites and their patrons.
The majority of malware installs trojan, viruses, backdoors, etc. to steal valuable information, or hold data ransom. The Vigilante malware, by contrast, is hunting down Internet users who acquire software illegally.
New malware is attempting to prevent access to ‘Warez’ websites:
SophosLabs Principal Researcher Andrew Brandt has dubbed the new malware ‘Vigilante’. This new “virus” installs itself when victims download and run, open, or launch what they assume is pirated software or games.
Once installed, the malware updates the file name that granted it entry on a victim’s computer to an attacker-controlled server. It sends the IP address as well. If that’s not enough, the malware also modifies key files on the target PC to prevent access to popular websites that offer pirated software.
But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals.
For one thing, they modify the HOSTS file on the PC to add entries. A lot of entries.
They had a common theme. pic.twitter.com/O1Z2fSXZ1n
— Accountability Brandt (@threatresearch) June 17, 2021
In addition to preventing access to websites that allow downloading pirated apps, the malware is also going after Internet users who regularly access pirated TV shows.
NEW: Vigilante malware rats out software pirates while blocking ThePirateBay
A collection of malware samples revives a decade-old HOSTS modification trick to block hundreds of websites…
(a thread) 1/12 pic.twitter.com/wLClop9bUF
— SophosLabs (@SophosLabs) June 17, 2021
Speaking about the new malware, Brandt said: “The malware’s motivation seemed pretty clear. It prevents people from visiting software piracy websites (if only temporarily)”.
The malware does not have an official name yet. SophosLabs has dubbed the same ‘Vigilante’ owing to the seemingly noble crusade it is on.
How does the ‘Vigilante’ malware work?
The virus traps unsuspecting victims by hiding in a number of fake software packages. Pirated or free versions of “popular games, productivity tools, and even security products” are popular choices.
After successfully infecting a computer, the malware blocks the user from visiting a list of websites. The majority of these websites are related to torrenting.
There seem to be hundreds of different software brands represented by the filenames found in a search on Virustotal for related samples.
The files that appear to be hosted on Discord’s file sharing tend to be lone executable files. 9/12 pic.twitter.com/EjasBb4uhr
— SophosLabs (@SophosLabs) June 17, 2021
The malware’s methodology to dissuade access to Warez websites is rather simple. The Vigilante malware hijacks the computer’s HOSTS file.
Sophos endpoint products detect this threat by its unique runtime packer, which is the same as used by an unrelated malware family, Qbot, as Mal/EncPk-APV.
SophosLabs has published IOCs relating to this article, including file hashes, to the SophosLabs Github. 11/12
— SophosLabs (@SophosLabs) June 17, 2021
The HOSTS file is common to Windows PCs, and it is a plaintext file that maps hostnames to IP addresses as they connect to a device’s network. By modifying the file, users can stop their devices from connecting to certain domains.
Read the full story from @threatresearch: https://t.co/ouum4Eg3HF
The labs thanks Senior Manager for Threat Research Richard Cohen for his eagle eye finding this oddball malware.
12/12
— SophosLabs (@SophosLabs) June 17, 2021
The malware reportedly pairs all of the Warez websites with 127.0.0.1, a special-purpose IP address, often called the localhost or loopback address. Simply put, a victim attempting to visit such a website would be looped back.
Needless to mention, there is a very simple way to undo the actions of the Vigilante malware. Merely removing all the entries that point to 127.0.0.1, should do the trick.