Security teams looking to prevent work-from-home and remote users from downloading potentially trojanized pirated software will find Thursday’s research by Sophos of interest.
In a blog post, Sophos researchers reported on a curious malware program that comes disguised as pirated copies of software, but actually modifies infected users' HOSTS file to blocks them from visiting software piracy websites in the future. The malware also sends the name of the pirated software that the user was hoping to obtain to a website that delivers a secondary payload. Although it’s somewhat crude because the malware has no persistence mechanism, the researchers said the technique can effectively prevent computers from reaching specified web addresses.
At least some of the malware was hosted on the game chat service Discord. Other copies were distributed via BitTorrent and named after popular games, productivity tools and security products. The researchers said they were accompanied by additional files that made it appear to have originated at the popular file-sharing site ThePirateBay.
For security pros looking to protect their companies from this malware, it goes without saying that organizations should have filtering in place that ensures users are unable to visit pirating websites or unneeded file transfer software like BitTorrent, said John Hammond, senior security researcher at Huntress. Hammond said users should have no need or desire to look for or download “cracked” software or games. Security teams should also have antivirus in place to help prevent malicious downloads.
“If for whatever reason, a strange executable were to be found, personnel should stay vigilant as always,” Hammond said. “Alert your security team if you see any suspicious file, and if there’s any hesitation on clicking on a program, don't click. In this case, it’s just as simple as examining the file properties to uncover suspicious data or program names that don't match up. Proactive measures and safety precautions to verify what a program really is can help stave off the headache and nightmare of a security incident.”
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, added that it’s very common for pirated software to have unwanted features, such as password stealers or hidden backdoors. These allow cybercriminals easy access to devices. Carson said most pirated software has been altered by criminals to help find ways to make money, such as selling stolen credentials or access for malicious criminals to install ransomware, which forces companies into becoming the next cyber victim.
“Always avoid pirated software, as nothing is ever free and you will surely receive many unwanted features and surprises hidden within,” Carson said. “Pirated software commonly has trojans hiding that are waiting for the right time to activate. Many employees who have local administrator access on their company systems are prime targets and that's why most cybercriminals want to abuse your trust into thinking you are doing something that saves the company money. However, in fact it is a malicious software that will potential result in the company having a major security incident.”
