Security researchers Sophos they discovered a strange malware campaign which has nothing in common with standard attacks (intrusion into a system, theft of information, etc.). Instead, the malware used in this campaign, prevents users from visiting "pirate sites" modifying the HOSTS file on the infected system.
The operators of this original campaign use different ways of distributing the malware. In some cases they appear as files disguised as software packages forwarded through the chat service Discord, while in others the distribution is done directly via torrent.
The creator has used the names of many software brands, games, tools productivity tools and safety tools to hide the malware, according to the lead researcher Andrew Brandt. So it has managed to target various users, from professionals to gamers etc.
"Files that appear to be hosted on Discord file sharing tend to be executable filesSays Brandt.
Double-clicking the executable malware displays a message claiming that the victim's system does not have a significant .DLL file. In the background, the malware installs a second payload, called ProcessHacker. This payload is responsible for modifying the HOSTS file on the target machine.
However, on newer machines, specific permissions may be required to modify the HOSTS file.
"Modifying the HOSTS file is a rough but effective method for prevent a computer from accessing a web addressSays Sophos.
"The goals and tools of the malware campaign suggest that this could be a kind of anti-piracy business" commented Brandt. However, the different goals of the attacker - from gamers to professionals - combined with the strange combination of old and new tools, TTPs and the strange list of sites blocked by malware, make the ultimate goal of this campaign look a little more confused".
Malware does not have a significant impact on users (unless they want to visit pirated sites and are fans of cracked software), but Sophos says that if the HOSTS file is modified, it can be cleaned by running Notepad as administrator, and modifying it. file in c: \ Windows \ System32 \ Drivers \ etc \ hosts.