Most malware operators pursue some kind of profit. However, cybersecurity researchers at Sophos have discovered a unique malware called Oddball, the sole purpose of which is to prevent websites from being visited that offer pirated software.
The malware modifies the HOSTS file on the infected system using “a crude but effective method to prevent the computer from accessing a web address.” The HOSTS file is an integral part of the Windows OS and is used to map IP addresses to hostnames or domain names. Thus, it acts as a local DNS service.
Since the malware does not provide persistence, any user can easily undo its effect on the local computer by deleting the affected entries after they have been added to the HOSTS file.
Attackers used various means to distribute malware and attract the attention of people who tend to use popular torrent sites to download pirated software. One of the distribution methods was to use the Discord messenger. Other copies of the software were distributed via Bittorrent and were disguised as popular games, productivity tools, and even security products.
After launching the executable file, the software displays a “false error message” informing the user that it cannot start due to the absence of the MSVCR100.dll file. The malware also checks the infected system for an outgoing network connection and, if possible, tries to contact the URI in the 1flchier [.] Com domain. Presumably, the domain is a copy of the 1fichier cloud storage provider, using the letter “L” as the third character instead of “I”.
When establishing contact with the site, the software downloads the ProcessHacker.jpg executable file, which modifies the HOST file and blocks access to the pirated software.
Catch up on more articles here
Follow us on Twitter here