Sophos researchers have discovered a malware campaign that does not follow the typical behavior patterns and is that their task is to block users when they try to access websites where you can download content and software without a license.
According to ZDnet, the means of distribution of this malware vary. Some samples were buried in files disguised as software packages via the Discord chat service, while others are distributed directly through torrent.
To cheat, uses the names of numerous brands of software, games, productivity tools, and cybersecurity solutions.
Ransomware: what it is, how it infects and how to protect yourself
This is how this curious malware hides
Malicious packages are named in common formats used when distributing unlicensed software, such as "Minecraft 1.5.2 Cracked [Full Installer][Online][Server List]". The files are tagged to appear as uploaded from The Pirate Bay.
According to Sophos, those that are distributed through Bittorrent have been packaged in this way: added to a compressed file that also contains a text file and other supporting files, as well as a file for direct access to the Internet.
If the malware executable is double-clicked, a pop-up message appears stating that the victim's system is missing a .DLL file. In the background, the malware performs a modification of the victim's HOSTS file via ProcessHacker. In this way, if the privileges to write to that file can be escalated, attackers can make a computer stop being able to connect to the addresses contained in it.
Is about a very rudimentary way to block, as anyone can modify the HOSTS file and clean up the blocked addresses or change them for others. But in many cases, it will be effective and the victim will not know what has happened.