Malware, is short for 'malicious software'. What it does, is maliciously affecting how system's behavior, altering what it should do, it order to benefit its creators.
Typically, malware follows a typical behavioral pattern, which includes the malware will infiltrate a system, steal information, create backdoors, and so forth. Malware does this because typically, they are designed by cyberattackers to cause damage.
But this time, a malware is found to infect systems, but to only block infected users from being able to visit a large number of websites dedicated to software piracy. Nothing more.
This very unusual malware is distributed through software packages promoted through the Discord chat service, whereas others are distributed directly using torrents.
To entice people into downloading the malware-ridden software, the creators of this particular malware hide the malware deep inside numerous software brands, games, productivity tools, and cybersecurity solutions.
According to SophosLabs' Principal Researcher Andrew Brandt, the malware appears to target everyone from gamers to professionals who might not want to purchase a software license.
"The files that appear to be hosted on Discord's file-sharing tend to be lone executable files," explained Brandt, in a website post.
"The ones distributed through Bittorrent have been packaged in a way that more closely resembles how pirated software is typically shared using that protocol: added to a compressed file that also contains a text file and other ancillary files, as well as an old fashioned Internet Shortcut file."
If this malware comes as an executable file, and is double-clicked, a message will pop up, saying that its victim is missing a crucial .dll file. While this happens, in the background, the malware starts working by fetching a secondary payload, dubbed 'ProcessHacker', from an external website.
The malware then runs this payload to modify its victim's HOSTS file, by adding a list of between a few hundred to over a thousand of web domains, and points them to a localhost address.
This way, victims won't be able to visit any of the listed website.
"In one of the strangest cases I’ve seen in a while, one of my Labs colleagues recently told me about a malware campaign whose primary purpose appears to stray from the more common malware motives." explained Brandt.
"Instead of seeking to steal passwords or to extort a computer’s owner for ransom, this malware blocks infected users’ computers from being able to visit a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system."
"On the face of it, the adversary's targets and tools suggest this could be some kind of crudely-compiled anti-piracy vigilante operation," Brandt commented. "However, the attacker's vast potential target audience -- from gamers to business professionals -- combined with the curious mix of dated and new tools, TTPs, and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky."
It should be noted though, that on some modern computers, modifying HOSTS file require permission. If this happens and its victim denies the permission, the malware won't be able to modify the HOSTS file.
"Modifying the HOSTS file is a crude but effective method to prevent a computer from being able to reach a web address," explained Sophos. "It's crude because, while it works, the malware has no persistence mechanism. Anyone can remove the entries after they've been added to the HOSTS file."
Again, this malware does not pose any security damage. It's just how a vigilante developer turns the tables on software pirates by distributing malware to prevent them from accessing pirated software sites in the future.
What this means, the malware should be found most annoying for those who love to download pirated software from their systems.
One another thing, when the malware is installed, it connects to a remote host to send data about the software that has infected the user. The malware also sends the a log of its victims' IP address. At this time, it's unknown what the malware creator want with this data.
Sophos said that victims can remove the malware by simply running Notepad as administrator, and open c:\Windows\System32\Drivers \etc\hosts to remove the references.