Scientists have unearthed one of the most abnormal findings in the malware chronicles. It is a booby trap file that attempts to make the downloader a mouse and try to prevent future unauthorized downloads.
Andrew Brandt, Sophos Labs Principal Investigator named the malware ‘Vigilante’. When the victim downloads and runs what appears to be pirated software or games, it gets installed. Behind the scenes, the malware reports the filename that was executed to an attacker-controlled server, along with the IP address of the victims’ computers. Lastly, Vigilante attempts to modify the victim’s computer to make piratebay.com and 1,000 other pirate sites inaccessible.
As web servers normally log a visitor's IP address, the hacker now has the access to both the pirate's IP address and the name of the software or movie that the victim attempted to use. While it is unknown what this information is used for, the attackers could share it with ISPs, copyright agencies, or even law enforcement agencies.
“It’s really unusual to see something like this because there’s normally just one motive behind most malware: stealing stuff. Whether that’s passwords, or keystrokes, or cookies, or intellectual property, or access, or even CPU cycles to mine cryptocurrency, theft is the motive. But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals,” Brandt explained.
Vigilante updates files on infected computers and hijacks them from connecting to The Pirate Bay and other Internet destinations known to be used by people who trade pirated software. Brandt has discovered some of the Trojans lurking in software packages available for Discord-hosted chat services. He found others disguised as popular games, productivity tools, and security products available through BitTorrent.
“Pading an archive with a purposeless file of random length is an easy way to change the hash value of the archive. Filling it with a racist slur taught me everything I needed to know about its creator,” Brandt wrote on Twitter.
Since Vigilante does not have a persistence technique, it means it has no solution to stay put in. Users who have been infected only want to edit their Hosts files to be disinfected. There are other strange things – Many Trojanized executable files are digitally signed using fake code signing tools. The signature contains a randomly generated 18-character uppercase and lowercase.