They don’t make them like this any more. Anyone who visited FossHub on Tuesday to download either Start Menu replacement Classic Shell or the audio editor Audacity is at risk of having downloaded a Trojan that feels like something out of the early ’90s. The malicious code was written by a hacking crew calling themselves Pegglecrew.
YouTuber danooct1 explains that Pegglecrew’s program is both brand new and largely undetected by sites like VirusTotal. Even the fake installer is almost identical in file size to the original. Opening the infected version of either Audacity or Classic Shell appears to do nothing, but on reboot the user is greeted with the following message:
As you reboot, you find that something has overwritten your MBR! It is a sad thing your adventures have ended here! Direct all hate to Pegglecrew (@cultofrazer on Twitter)
The Trojan’s intent does not appear to be destructive, as the message states precisely why the user’s machine is no longer functioning as expected (and in the cadence of a classic text-based RPG). Booting into a recovery CD and executing a quick command to restore the master boot record appears to restore system functions to normal, according to danooct1.
Several tweets suggest Pegglecrew’s work has appeared in the wild on multiple machines. Interestingly, cultofrazer appears to itself have been hacked. Pegglecrew got in touch with Gizmodo on Twitter to explain that the cultofrazer handle was in fact stolen by them from Razer — the gaming hardware manufacturer — who then took it back. It appears that the Trojan doesn’t have any lasting effects beyond a silly and somewhat annoying message.
In an email to Softpedia, someone claiming to be a member of Pegglecrew wrote:
In short, a network service with no authentication was exposed to the internet… We were able to grab data from this network service to obtain source code and passwords that led us further into the infrastructure of FOSSHub and eventually gain control of their production machines, backup and mirror locations, and FTP credentials for the caching service they use, as well as the Google Apps-hosted email.
FossHub’s tagline includes the promises, “No adware, no spyware, no bundles, no malware,” which was proven largely untrue by the hacking group. Audacity wrote in a blog post that the compromised download was up for approximately three hours, and has since been resolved, though the same alleged Pegglecrew member claims that, “after word got out and the admins reverted the changes, we replaced all installer executables on [Fosshub’s] servers with the MBR-overwriting code directly.”
Pegglecrew spoke to Gizmodo via Twitter and offered some explanation for their actions.
“We targeted Fosshub because we wanted inform people to keep better care of their security… all of the users actually clicked past a prompt telling them that it could be dangerous,” the group told Gizmodo over DM. “That’s just one example of user carelessness and it barely amounts to the quantity of terrible passwords (also exploited in this attack) and other terrible practices.”
They estimate Classic Shell downloads alone were responsible for infecting over 300 machines but claim the Trojan itself has been in use by them for months beforehand. Thankfully Pegglecrew claim their malware has “zero effect other than overwriting the MBR,” which might be cold comfort to the hundreds of peeved users trying to figure out why their computers won’t start up.