A new malware campaign, called Vigilante, has been discovered whose primary purpose is the opposite of most common malware motives. Instead of stealing passwords or extorting victims for ransom, the malware blocks the victim’s computers from being able to visit software piracy websites.

What has happened?

According to researchers from Sophos, the malware works by making changes to the HOSTS file on the compromised system, in an effective method to stop a computer from reaching some specific web addresses.
  • The Vigilante malware comes with no persistence mechanism, therefore any infected user can easily undo the effect it has on a local computer by just removing the affected entries added to the HOSTS file. 
  • The malware adds a large number of web domains (ranging from a few hundred to more than 1000) to the HOSTS file, directing them at the localhost address, 127[.]0[.]0[.]1. 
  • Once the entries are made into the HOSTS file, any request for these websites would resolve into the localhost address, thus preventing access to the actual site. 
  • The name of the pirated software is sent to a website. In addition, a secondary payload is delivered to the user’s system from the website.

The secondary payload is a ProcessHacker[.]jpg file that performs various additional functions to block the infected system from running the pirated software. It modifies the HOSTS file by asking Windows for privilege elevation.

Using multiple ways to spread malware

The attackers have used multiple ways to spread the malware, by attracting people visiting popular torrent sites to pirate software. These files tend to be lone executable files.
  • One such method was observed to use Discord to host the malware disguised as pirated copies of numerous software packages.
  • Other copies spread via BitTorrent and were named after well-known pirated downloads, such as productivity tools and security products. Additional files appear to be shared by ThePirateBay account.
  • In addition, the malware checks an infected system to see whether it can make an outbound network connection. If it can, it tries to contact a URI on the domain 1flchier[.]com.

Conclusion

This new Vigilante malware is possibly operated by an individual or a group trying to protect people from using pirated software by blocking their websites. However, making unauthorized modifications to someone’s internal system is still criminal activity. Therefore, users are requested to stay protected by avoiding the download of pirated software or clicking on links from unknown users.

Cyware Publisher

Publisher

Cyware