A researcher has uncovered one of the more unusual finds in the annals of malware: booby-trapped files that rat out downloaders and try to prevent unauthorized downloading in the future. The files are available on sites frequented by software pirates.
Vigilante, as SophosLabs Principal Researcher Andrew Brandt is calling the malware, gets installed when victims download and execute what they think is pirated software or games. Behind the scenes, the malware reports the file name that was executed to an attacker-controlled server, along with the IP address of the victims’ computers. As a finishing touch, Vigilante tries to modify the victims’ computers so they can no longer access thepiratebay.com and as many as 1,000 other pirate sites.
Not your typical malware
“It’s really unusual to see something like this because there’s normally just one motive behind most malware: stealing stuff,” Brandt wrote on Twitter. “Whether that’s passwords, or keystrokes, or cookies, or intellectual property, or access, or even CPU cycles to mine cryptocurrency, theft is the motive. But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals.”
Once victims have executed the trojanized file, the file name and IP address are sent in the form of an HTTP GET request to the attacker-controlled 1flchier[.]com, which can easily be confused with the cloud-storage provider 1fichier (the former is spelled with an L as the third character in the name instead of an I). The malware in the files is largely identical except for the file names it generates in the web requests.
Vigilante goes on to update a file on the infected computer that prevents it from connecting to The Pirate Bay and other Internet destinations known to be used by people trading pirated software. Specifically, the malware updates Hosts, a file that pairs one or more domain addresses to distinct IP addresses. As the image below shows, the malware pairs thepiratebay.com to 127.0.0.1, a special-purpose IP address, often called the localhost or loopback address, that computers use to identify their real IP address to other systems.
By mapping the domains to the local host, the malware ensures that the computer can no longer access the sites. The only way to reverse the blocking is to edit the Hosts file to remove the entries.
Brandt found some of the trojans lurking in software packages available on a Discord-hosted chat service. He found others masquerading as popular games, productivity tools, and security products available through BitTorrent.
There are other oddities. Many of the trojanized executables are digitally signed using a fake code signing tool. The signatures contain a string of randomly generated 18-character uppercase and lowercase letters. The certificate validity began on the day the files became available and is set to expire in 2039. Additionally, the properties sheets of the executables don’t align with the file name.
When viewed through a hex editor, the executables also contain a racial epithet that’s repeated more than 1,000 times followed by a large, randomly sized block of alphabetical characters.
“Padding out the archive with purposeless files of random length may simply be done to modify the archive’s hash value,” Brandt wrote. “Padding it out with racist slurs told me all I needed to know about its creator.”
Vigilante has no persistence method, meaning it has no way to remain installed. That means people who have been infected need only to edit their Hosts file to be disinfected. SophosLabs provides indicators of compromise here.