By definition, malware threats are designed to perform some nefarious activity. Different cybercriminals have different goals - spying on the unsuspecting users, stealing sensitive data and then uploading it to a remote server, capturing pressed keys to obtain login or payment credentials, hijacking the resources of the infected device and then using them to mine for crypto-coins, or encrypting the user's data and demanding a ransom for its restoration. However, the Vigilante malware is, somewhat, different. In fact, it has little in common with the malware threats described above. This particular Trojan is designed to target people downloading pirated software and then block their computers from opening the addresses of over 1000 torrent trackers and download platforms.
The Vigilante malware infects its victims by hiding inside software packages distributed via a Discord chat service or by disguising itself as several popular games, software tools, and security products available through BitTorrent. Furthermore, to increase the size of the corrupted archive artificially, it includes non-functional files of random length. The weaponized executables are signed using a fake code-signing tool with the generated certificate expiring in 2039.
Its Peculiar Functionality
Once the threat sneaks itself onto the user's device, it obtains the name of the file it was executed and the system's IP address and reports them to the attacker's server in the form of an HTTP GET request. The address of the server was chosen to mimic the 1fichier cloud storage provider intentionally.
Vigilante is then ready to move on to its core functionality. The threat proceeds to modify the compromised system's HOSTS file. It adds the addresses of a thousand Internet sites commonly associated with the delivery of pirated software, such as the popular torrent tracker the Pirate Bay and many of its proxies. Each domain injected into the HOSTS file will be assigned to open the IP address 127.0.0.1 - a reserved IP address that a computer system uses to refer to itself. In practice, any requests made to this address do not reach the Internet but are instead rerouted back to the system. Victims of Vigilante malware will find themselves unable to reach any of the targeted websites.
The effects of the malware can be reversed easily. After all, the Vigilante malware doesn’t have the capability to establish a persistence mechanism on the infected systems. Victims can simply clean up their HOSTS file and everything will be back to normal.