Malware laced with racial epithets tries to block Windows-based victims from visiting file-sharing sites associated with copyright infringement, according to new Sophos research.
The malicious software amounts to a "goofy process to block people from going to the Pirate Bay," according to Sophos researcher Andrew Brandt, who stumbled across the malware after a colleague mentioned it in passing.
Rather than opening a backdoor for a ransomware gang to exploit or dropping a malicious payload, however, this malware merely sinkholes a bunch of Pirate Bay domain names by adding them to the Windows hosts file and pointing them at 127.0.0.1 – meaning they'll be inaccessible from the victim's machine.
"We found it being shared through BitTorrent," Brandt explained to The Register. "It's just so odd."
The Pirate Bay is a well-known repository of copyright-infringing files, ranging from films to games to commercial software. Many of the uploads available are laced with malware.
Brandt's software nasty masquerades as cracked copies of legitimate software available for download on BitTorrent or as links shared on chat-for-gamers service Discord, which also has a relatively little-known CDN all of its own.
- Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks
- Tim Cook: Sideloading is a disaster and proposed App Store reforms would harm user privacy and security
- What Microsoft's Windows 11 will probably look like
- Zoll Defibrillator Dashboard would execute contents of random Excel files ordinary users could import
"The files that appear to be hosted on Discord's file sharing tend to be lone executable files. The ones distributed through BitTorrent have been packaged in a way that more closely resembles how pirated software is typically shared using that protocol: Added to a compressed file that also contains a text file and other ancillary files, as well as an old-fashioned Internet Shortcut file pointing to ThePirateBay," wrote Brandt in a detailed blog about his findings.
Those ancillary files contained something particularly nasty, he told us: "In several of them... there's just a big block of binary data in the middle, where they had used just the N word, like, more than 1,000 times in the file to just fill space, and it was just gross and weird. And really offensive."
This racist tirade makes it unlikely (but not impossible) that the malware was made by an aggrieved company angry at cheapskates downloading pirated copies of paid-for software. Brandt agreed, saying: "I think it was probably some individual with a grudge and a really nasty, you know, racist attitude."
Such things intended to upset researchers reverse-engineering malicious software and are not unknown, we understand.
Just one obvious clue exists as to the malware's origin: upon execution it would try and phone home to a URI on 1flchier[.]com, a typosquat of French cloud provider 1fichier, using a user-agent string masquerading as Firefox version 41, released in Q3 2015.
Fiddling with the Windows hosts file to prevent victims from accessing certain websites is an ancient tactic that goes back to the early days of Windows malware. Two decades ago some malicious person wrote a worm specifically targeting The Register and antivirus makers' domains.
More recently, NAS maker QNAP's customers were being targeted in 2019 by mysterious malware that sinkholed around 700 domains through similar tampering with the hosts file. ®