Sophos researchers have discovered a malware campaign whose primary purpose appears to stray from the more common malware motives. Instead, say the researchers, it appears to steal passwords or to extort a computer's owner for ransom, blocking infected users' computers from being able to visit a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system.
The malware also downloaded and delivered a second malware payload, an executable named ProcessHacker.jpg, say Sophos researchers. Modifying the HOSTS file is a crude but effective method to prevent a computer from being able to reach a web address, Andrew Brandt, SophosLabs Principal Researcher Andrew Brandt writes.
"It’s crude because, while it works, the malware has no persistence mechanism. Anyone can remove the entries after they’ve been added to the HOSTS file, and they stay removed (unless you run the program a second time). It was also very familiar to me, personally, because I discovered a family of malware more than 10 years ago that performed a nearly identical set of behaviors and wrote up an analysis," Brandt explains.
While Sophos wasn't able to discern a provenance for this malware, its motivation seemed pretty clear: it prevents people from visiting software piracy websites and sends the name of the pirated software the user was hoping to use to a website, which also delivers a secondary payload.
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C. based provider of cloud identity security solutions, explains, "The latest report from Sophos on pirated software comes as no surprise. Illegal software, or stolen license keys, have been around as long as I have been using a computer. It’s very common that hidden within pirated software are unwanted features such as password stealers or hidden backdoors. These allow cybercriminals easy access to your devices. Most pirated software has been altered by criminals to help find ways to make money, such as selling stolen credentials or access for malicious criminals to install ransomware, which forces you into becoming the next cyber victim."
Carson adds, "My recommendation is to always avoid pirated software as nothing is ever free and you will surely receive many unwanted features and surprises hidden within. Pirated software commonly has trojan’s hiding which are waiting for the right time to activate. Many employees who have local administrator access on their company systems are prime targets and this is why most cybercriminals want to abuse your trust into thinking you are doing something that saves the company money. However, in fact it is a malicious software that will potential result in the company having a major security incident. You should never have to think twice about pirated software as it should always be no."
Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says the technique of hosting malware disguised as legitimate software is not new. "In fact, this likely dates back to the earliest peer-to-peer software days at the turn of the century. In my experience, it's likely the result of people simply downloading the first thing in search results to find a solution, such as a patch or freeware, that's needed to finish a project or to do their work. They may also not be keen on waiting for a solution from management, approval from the company's risk or compliance organization, or the IT help desk, unfortunately."
Nikkel adds, "Organizations can look into tooling that performs file integrity management on system files, but the fixes might be even more straightforward. A good start is using least privilege policies to ensure that not everyone can install and run executables, especially not without approval. Acceptable use policies may also include language about only using company assets for company business to ensure that proper security and compliance safeguards are in place unless otherwise authorized. Also, implementations of acceptable use policies force users to download and install vetted or approved applications only from an intranet store or from the vendors directly. Organizations should also increase awareness about the dangers of downloading anything that is not from an approved site, especially from various free public hosting sites or torrent sites; and it may also come down to blocking known bad torrent or download sites at the firewall. Additional (probably unpopular) measures may even come down to holding users responsible for bad behavior that leads to system compromise or otherwise puts the business in jeopardy."
"This seems to be a fresh trick on an old attack of compromising people attempting to download pirated software and media. In this case though, it seems to be an individual or group trying to protect intellectual property, but make no mistake, this is still clearly criminal behavior," notes John Bambenek, Threat Intelligence Advisor at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider. "This reminds me of the Sony rootkit scandal a decade ago and shows the anti-piracy groups still haven’t learned that other people have rights too."