A researcher has discovered one of the most unusual finds in the annals of malware: booby-trapped files that betray downloaders and try to prevent unauthorized downloads in the future. The files are available on sites frequented by software pirates.
Vigilante, as Andrew Brandt, lead researcher at SophosLabs, calls the malware, which is installed when victims download and run what they believe to be pirated software or games. Behind the scenes, the malware reports the file name that was executed to an attacker-controlled server, along with the IP address of the victims’ computers. As a finishing touch, Vigilante attempts to modify the victims’ computers so that they can no longer access thepiratebay.com and up to 1,000 other pirate sites.
Not your typical malware
“It’s really unusual to see something like that, because there’s normally only one motive behind most malware: stealing things,” says Brandt. wrote on Twitter† “Whether that’s passwords, or keystrokes, or cookies, or intellectual property, or access, or even CPU cycles to mine cryptocurrency, theft is the motive. But not in this case. These samples really only did a few things, none of which fit the typical malware criminals motive.”
But not in this case. These examples really only did a few things, none of which fit the typical malware criminals motive.
For starters, they modify the HOSTS file on the PC to add items. Lots of entries.
They had a common theme. pic.twitter.com/O1Z2fSXZ1n
— Andrew 🌻 Brandt (@threaresearch) June 17, 2021
Once the victims run the trojanized file, the filename and IP address are sent in the form of an HTTP GET request to the attacker-controlled 1flchier[.]com, which can easily be confused with the cloud storage provider 1fichier (the former is spelled with an L as the third character in the name instead of an I). The malware in the files is mostly identical except for the file names it generates in the web requests.
Vigilante continues to update a file on the infected computer that prevents it from connecting to The Pirate Bay and other Internet destinations known to be used by people who trade pirated software. Specifically, the malware updates Hosts, a file that associates one or more domain addresses with different IP addresses. As the image below shows, the malware associates thepiratebay.com with 127.0.0.1, a special IP address, often called the localhost or loopback address, that computers use to identify their real IP address from other systems.
By assigning the domains to the local host, the malware blocks the computer from accessing the sites. The only way to unblock it is to edit the Hosts file to remove the entries.
Brandt found some of the trojans lurking in software packages available on a Discord-hosted chat service. He found others masquerading as popular games, productivity tools, and security products available through BitTorrent.
There are other quirks. Many of the trojan executables are digitally signed using a fake code signing tool. The signatures contain a series of randomly generated upper and lower case letters of 18 characters. The validity of the certificate started the day the files became available and expires in 2039. In addition, the property sheets of the executable files do not match the file name.
When viewed through a hex editor, the executables also contain a racial epithet repeated over 1000 times followed by a large, arbitrarily large block of alphabetic characters.
“Filling the archive with arbitrary length aimless files can be done simply to change the archive’s hash value,” Brandt wrote. “Filling it up with racist statements told me everything I needed to know about its creator.”
Vigilante does not have a persistence method, which means that it cannot remain installed in any way. That means infected people only need to edit their Hosts file to be disinfected. SophosLabs provides indicators for compromises here.