In a report, SophosLab said it learned of the existence of malware intended to prevent its victims from downloading illegally.
Active between October 2020 and January 2021, this malware was content to change the HOSTS file of its victims to prevent them from going to The Pirate Bay and its mirrors.
Report author Andrew Brandt described it as “one of the strangest cases I have seen in some time.” It would be difficult to prove him wrong as we are so used to malware whose primary function is to steal personal data and other login credentials. But this one is a special case since it seeks to prevent its victims from downloading illegally.
They distribute this malware in two ways. The first part of the Discord messaging software, where it is sent as a simple executable supposed to be a cracked version of a game or a software. The second goes through classic hacking sites, where it comes as a folder that contains the executable along with other folders and files to make it look like a classic torrent.
An inefficient method
Once the executable is launched, it displays a fake error message showing that they could not instal the software because of a missing .dll file. Subsequently, it contacts a website belonging to the attacker and sends it the name of the file that the victim is trying to download as well as its IP address. It also recovers a second malware, which takes care of modifying the HOSTS file. These changes prevent the victim from primarily accessing The Pirate Bay, automatically redirecting them to their localhost as soon as they try to access it.
The method is not very efficient since it suffices to delete these lines from your HOSTS file to access the sites again. The biggest risk is that they could send the information collected by the attacker to government agencies or internet providers, or even be used in future extortion campaigns, as blackmail.
According to Andrew Brandt, this malware campaign was active between October 2020 and January 2021, when the attacker’s site was taken offline.