Puzzling New Malware Blocks Access to Piracy Sites

Researchers have admitted they’re baffled by a new piece of malware primarily designed to prevent victims from visiting software piracy sites.

Sophos principal researcher, Andrew Brandt, branded the discovery “one of the strangest cases I’ve seen in a while.”

It’s hidden in pirated copies of various software, including security products, and distributed on game chat service Discord and through Bittorent. Once double-clicked, it works by flashing up a bogus error message on the victim’s screen while executing.

The malware apparently blocks infected users from visiting a large number of piracy sites by modifying the HOSTS file on their systems. Brandt described this as a “crude but effective” strategy — crude because although it works, the malware has no persistence mechanism.

This means that anyone can remove the HOSTS file entries and stay removed unless the program is run a second time. Bizarrely, Brandt claimed to have discovered a malware family that behaved almost identically more than a decade ago.

The malware also downloads and executes a second payload, an executable named “ProcessHacker.jpg.”

It’s detected by Sophos as Mal/EncPk-APV.

Brandt said that the malware developer’s end game is still a mystery.

“On the face of it, the adversary’s targets and tools suggest this could be some kind of crudely compiled anti-piracy vigilante operation. However, the attacker’s vast potential target audience — from gamers to business professionals — combined with the curious mix of dated and new tools, techniques and pro ..

Support the originator by clicking the read the rest link below.