Sophos Discovers Malware That Blocks The Pirate Bay

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

(Photo: Getty Images)

Sophos has revealed new malware with a curious goal: preventing its victims from pirating software. The company says this digital vigilante, which is similar to a malware family discovered over a decade ago, modifies the infected system’s HOSTS file to block access to The Pirate Bay and other piracy-related sites.

“Modifying the HOSTS file is a crude but effective method to prevent a computer from being able to reach a web address,” SophosLabs Principal Researcher Andrew Brandt says in a blog post. “It’s crude because, while it works, the malware has no persistence mechanism. Anyone can remove the entries after they’ve been added to the HOSTS file, and they stay removed (unless you run the program a second time).”

The malware is said to spread via the Discord communications platform by masquerading as pirated copies of popular games. Brandt says it’s also distributed over BitTorrent in bundles “named after popular games, productivity tools, and even security products” that include other files whose sole purpose is to make the malware “appear to have originated with a well-known file sharing account on ThePirateBay.”

After the malware is downloaded it sends two HTTP GET requests to a now-inactive domain. The first request fetches a second payload called “ProcessHacker.jpg” that includes a kill-switch to prevent the malware from operating on devices containing files named “7686789678967896789678” and “412412512512512.” The files themselves can be empty; they simply have to use those names.

The second request “uses a query string to send the filename of the executable that was run to the website’s operators,” Brandt said, which would have allowed them to learn more about what kinds of files people are trying to pirate. That effort appears to have been dropped—Brandt says the server to which the HTTP GET requests were sent “no longer responds to requests, nor has a DNS record.”

Recommended by Our Editors

Sophos has updated its security products to defend against this malware. Brandt says anyone who’s already been affected by the campaign can manually restore their access to the websites it blocked by running Notepad as an administrator and “modifying the…


Computer Memory Can Be Made to Speak in Wifi, Researcher Discovers

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Illustration for article titled Computer Memory Can Be Made to Speak in Wifi, Researcher Discovers

Photo: KIRILL KUDRYAVTSEV / Staff (Getty Images)

A new theoretical exploit called Air-Fi can turn a secure, air-gapped computer into a wifi transmitter that can help a hacker exfiltrate secure data.

An air-gapped computer is a computer that is completely disconnected from any network. Many air-gapped machines have every possible network feature removed, from wifi to Bluetooth, but this exploit shows that hackers can use DDR SDRAM buses “to generate electromagnetic emissions in the 2.4 GHz Wi-Fi bands and encode binary data on top of it,” according to the researcher Mordechai Guri of the Ben-Gurion University of the Negev, Israel.

“This technique required high levels of skills from the attacker, in both design and implementation,” said Guri in an email. “However, there are simpler covert exfiltration channels for conventional IT environments in the wild. This one is focusing on leaking data from air-gapped computers where the traditional network-based covert channels fail.”

“Using the Wi-Fi medium in such a non-conventional way is something that I’ve been examining during the last year,” he said.

The transmissions are invisible to other devices and only the hacker can only pick them up with specially-prepared software and hardware.

He writes:

As a part of the exfiltration phase, the attacker might collect data from the compromised computers. The data can be documents, key logging, credentials, encryption keys, etc. Once the data is collected, the malware initiates the AIR-FI covert channel. It encodes the data and transmits it to the air (in the Wi-Fi band at 2.4 GHz) using the electromagnetic emissions generated from the DDR SDRAM buses.

Guri is well-known in security circles for figuring out how to attack air-gapped machines. In 2019 he used screen brightness and power lines to transmit data from secure computers and in 2018 he was also able to transmit data via ultrasonic audio files using a simple computer speaker.

In this exploit, Guri was able to force the DDR SDRAM busses to transmit to compromised wifi-capable devices like laptops and smartphones. He hacked four workstations with the exploit, each outfitted with similar 4GB DIMM DDR4…


Kaspersky discovers Ghimob banking malware targets mobile users worldwide – Back End News

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

When monitoring a Windows campaign from Guildma banking malware, Kaspersky researchers found URLs distributing not only a malicious .ZIP file for Windows, but also a malicious file that appeared to be a downloader to install Ghimob, a new banking Trojan.

Upon infiltrating Accessibility Mode, Ghimob can gain persistence and disable manual uninstallation, capture data, manipulate screen content, and provide full remote control to the actors behind it. According to experts, the developers of this “very typical” mobile Remote Access Trojan (RAT) are heavily focused on users in Brazil but have big plans to expand across the globe. The campaign is still active.

“Latin American cybercriminals’ desire for a mobile banking Trojan with a worldwide reach has a long history,” said Fabio Assolini, security expert at Kaspersky. “We have already seen Basbanke, then BRata, but both were heavily focused on the Brazilian market. In fact, Ghimob is the first Brazilian mobile banking Trojan ready for international expansion.”

Kaspersky explains threats in APAC’s manufacturing industry

Kaspersky’s report shows phishing rampant on social media, messaging apps

Guildma, a threat actor, which is part of the infamous Tétrade series, known for its scalable malicious activities both in Latin America and other parts of the world, has been working actively on new techniques, developing malware, and targeting fresh victims.

Spying on 153 mobile apps

Its new creation — the Ghimob banking Trojan — lures victims into installing the malicious file through an email which suggests that the person receiving it has some kind of debt. The email also includes a link for the victim to click on so they can find out more information. Once the RAT is installed, the malware sends a message about the successful infection to its server. The message includes the phone model, whether it has lock screen security, and a list of all installed apps that the malware can target. In total, Ghimob can spy on 153 mobile apps, mainly from banks, fintech companies, cryptocurrencies, and exchanges.

When it comes to functions, Ghimob is a spy in the victim’s pocket. Developers can remotely…


Microsoft discovers cryptomining gang hijacking ML-focused Kubernetes clusters – ZDNet

Microsoft discovers cryptomining gang hijacking ML-focused Kubernetes clusters  ZDNet
“HTTPS hijacking” – read more