We weren’t able to discern a provenance for this malware, but its motivation seemed pretty clear: It prevents people from visiting software piracy websites (if only temporarily), and sends the name of the pirated software the user was hoping to use to a website, which also delivers a secondary payload. A Process Monitor log shows a fake Among Us malware executable modifying the HOSTS file It was also very familiar to me, personally, because I discovered a family of malware more than 10 years ago that performed a nearly identical set of behaviors and wrote up an analysis.
Anyone can remove the entries after they’ve been added to the HOSTS file, and they stay removed (unless you run the program a second time).
It’s crude because, while it works, the malware has no persistence mechanism. Modifying the HOSTS file is a crude but effective method to prevent a computer from being able to reach a web address. The malware also downloaded and delivered a second malware payload, an executable named ProcessHacker.jpg In one of the strangest cases I’ve seen in a while, one of my Labs colleagues recently told me about a malware campaign whose primary purpose appears to stray from the more common malware motives: Instead of seeking to steal passwords or to extort a computer’s owner for ransom, this malware blocks infected users’ computers from being able to visit a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system.
0 kommentar(er)
