A new malware isn’t anything we expect to find in malware. It doesn’t look to steal your data or make money – it looks to prevent infected computers from visiting software piracy sites. Dubbed the “Vigilante Malware,” it modifies the HOSTS file of the infected system.
Identifiying the Vigilante Malware
SophosLabs researcher Andrew Brandt wrote an article describing how his group identified the Vigilante Malware and how it works. Along with modifying the HOSTS file, it also downloads a second piece: the ProcessHacker executable.
A website can be blocked by modifying the HOSTS file. Unlike other malware, the goal is not to infect the computer on an ongoing basis. It can be removed and won’t reinfect unless the program is run again.
The infected computers are prevented from visiting software piracy sites. The name of the software the user was after is sent to another website, and a second payload is delivered. This adds hundreds of web domains to the HOSTS file.
Some of the Vigilante Malware was hosted on the Discord game chat service. Bittorrent disrupted other copies that were named as popular games and productivity and security software. It’s believed the malware originated on a ThePirateBay file-sharing account.
The files hosted on Discord appear to be single executable files, while the Bittorrent files are packaged with other files to resemble how pirated software is often shared.
Many of the executables were digitally signed by a fake codesigner. The signature “name” is just a random string of 18 upper-case letters.
Brandt explained, “The properties sheets of the malware executables doesn’t align with what the filename of the malware makes it appear to be. Most of the files represented themselves as being installers for full-featured, licensed copies of games or productivity software, but many of the actual files have completely different names in the File Description field, such as ‘AVG remediation exe,’ ‘BitLocker Drive Encryption,’ or ‘Microsoft Office Multi-Msi ActiveDirectory Deployment Tool.’ “
What the Vigilante Malware Does
When the Vigilante Malware is doubled-clicked, it triggers the release of a fake error message that reads: “The program can’t start because MSVCR100.dll is missing from your computer. Try installing the program to fix the problem.”
Brandt wrote of his experience with the malware, “Using Process Monitor, I was able to determine that it never even queries the Windows API for this file. To call the malware’s bluff, I dropped a valid copy of this older DLL (that checks out) into the folder with the program itself, but the bogus dialog appears anyway.”
Upon execution, the malware checks to see whether it can make an outbound network connection. It tries to contact a URI on the 1flchier-dot-com domain.
The three files bundled with the installer are useless and seem only to be included to give the appearance of typical Bittorrent-shared files. A “data.dat” file is a JPEG image of a pine forest. Another file is anywhere between 90kb and more than 200kb and includes mostly “gibberish data with a randomized filename and the file suffix .nfo.”
The first 1150 bytes of the .nfo file contain garbage data. A nonprintable character follows this, making everything after that not visible when viewed in a text editor. This file also contains a racial epithet repeated 1000 times. Notably, Brandt said this alone told him all he needed to know about the creator of the Vigilante Malware.
The great thing about this malware is, of course, if you don’t look to download pirated software, you have nothing to worry about.