Tavern tycoon anti piracy software#
There seem to be hundreds of different software brands represented by the filenames found in a search on Virustotal for related samples.
The provenance of this file in VirusTotal was Discord Other copies, distributed through Bittorrent, were also named after popular games, productivity tools, and even security products, accompanied by additional files (more on those lower down in the story) that make it appear to have originated with a well-known file sharing account on ThePirateBay. Fake games on DiscordĪt least some of the malware, disguised as pirated copies of a wide variety of software packages, was hosted on game chat service Discord. The file adds from a few hundred to more than 1000 web domains to the HOSTS file, pointing them at the localhost address, 127.0.0.1. We weren’t able to discern a provenance for this malware, but its motivation seemed pretty clear: It prevents people from visiting software piracy websites (if only temporarily), and sends the name of the pirated software the user was hoping to use to a website, which also delivers a secondary payload. A Process Monitor log shows a fake Among Us malware executable modifying the HOSTS file It was also very familiar to me, personally, because I discovered a family of malware more than 10 years ago that performed a nearly identical set of behaviors and wrote up an analysis. Anyone can remove the entries after they’ve been added to the HOSTS file, and they stay removed (unless you run the program a second time).
It’s crude because, while it works, the malware has no persistence mechanism.
Modifying the HOSTS file is a crude but effective method to prevent a computer from being able to reach a web address. The malware also downloaded and delivered a second malware payload, an executable named ProcessHacker.jpg In one of the strangest cases I’ve seen in a while, one of my Labs colleagues recently told me about a malware campaign whose primary purpose appears to stray from the more common malware motives: Instead of seeking to steal passwords or to extort a computer’s owner for ransom, this malware blocks infected users’ computers from being able to visit a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system.
0 kommentar(er)
