In a tweet, Brandt wrote that a colleague at the British software and hardware security firm had previously told him about it.
Ok, so, this story is a journey https://t.co/5U9pwGZJ3c
— Accountability Brandt (@threatresearch) June 17, 2021
How it Works
Once a user tries to download it, Vigilante reports the IP address and file name to an attacker-controlled server (1flchier[.]com) in the form of an HTTP GET request.
While it might appear as the reputable cloud hosting company 1fichier, it isn’t. The malware has a lowercase L instead of i after letter f.
It then modifies the HOST’s file, allowing it to block infected computers from visiting about 1000 piracy sites. It pairs a distinct IP address (127.0.0.1) with the various domain addresses.
In addition, it also downloads and delivers an executable file named ProcessHacker.jpg.
A search using Virustotal to find related samples disclosed that some of the Trojans’ software was on Discord, a chat service. These were lone executable files.
Others were on BitTorrent and appeared under popular names of security programs, productivity tools, and games. This is how sharing of pirated copies typically occurs under the protocol.
Andrew Brandt’s tweets also revealed that the creators named the malware after Malwarebytes, a popular antivirus product.
Bogus tools have signed off the executable Trojans digitally to help them pass rudimentary checks. More evaluation shows that the certificates will expire on December 21st, 2039.
The file names and property, however, don’t align. They also contain 18 lower and upper-case characters with no apparent pattern.
They display racial slurs when viewing them using Hex Editor. The wording shows up about 1000 times throughout the executables. What follows is a randomized block of alphabets.
Andrew Brandt believes that padding out using racial epithets revealed to him some things about the creator. He also added that the seemingly purposeless files, however, could mask the modification of the hash value.