Bizarre Vigilante Malware Turns Tables On Pirates By Blocking Access To Cracked Software

Sophos researcher Andrew Brandt reported yesterday that the mysterious vigilante malware typically came packaged in fake games sent over Discord. However, it could also come bundled with productivity or security tools like "AVG Remediation" or "Microsoft Visual Studio Enterprise 2019." When the fake software is first run, it creates a fake popup saying a dynamically linked library (DLL) file is missing from the computer.
After this, the fake software checks to see if it can access the internet and a domain that it pulls a secondary malicious payload from. This payload then works to block pirating websites by modifying the HOSTS file on an infected system, provided it has elevated security privileges. Anywhere from 100 up to over 1000 domains can be added to the HOSTS file, which then gets pointed back to the localhost address, 127.0.0.1. Interestingly, this secondary malware has something of a kill switch built in where it looks for certain file names within the %PATH% folder. If it finds those, it stops execution and does not make any changes, perhaps protecting those who know about this but still pirate things.

The problem with detecting this malware is that the installers come bundled with random files like images, text files, and .nfo files which typically appear in other BitTorrent files. These .nfo files, however, are filled with garbage data, a racial slur repeated over 1000 times, and other random letters to potentially change the file's hash value. As Brandt explains, this is "one of the strangest cases," as the malware is not necessarily bad, save for the slurs that give us a glimpse into the person behind this. However, malware is still illegal under several U.S. laws, as is pirating. Whoever is behind this has some sort of moral compass, but it is not a very strong one. In any case, let us know what you think of this interesting malware example in the comments below.