They don’t make them like this anymore.
Anyone who visited FossHub on Tuesday to download either Start Menu replacement Classic Shell or the audio editor Audacity is at risk of having downloaded a trojan that feels like something out of the early '90s. The malicious code was written by a hacking team calling themselves Pegglecrew.
YouTuber danooct1 explains that Pegglecrew’s program is both brand new and largely undetected by sites like VirusTotal. Even the fake installer is almost identical in file size to the original. Opening the infected version of either Audacity or Classic Shell appears to do nothing, but on reboot the user is greeted with the following message:
As you reboot, you find that something has overwritten your MBR! It is a sad thing your adventures have ended here! Direct all hate to Pegglecrew (@cultofrazer on Twitter)
The trojan’s intent does not appear to be malicious, as the message states precisely why the user’s machine is no longer functioning as expected. Booting into a recovery CD and executing a quick command to restore the master boot record appears to restore system functions to normal, according to danooct1.
Several tweets suggest Pegglecrew’s work has appeared in the wild on multiple machines. Ironically, cultofrazer appears to either be inactive, or has itself been hacked. It’s unclear if the trojan has any lasting effects beyond a silly and somewhat annoying message.
In an email to Softpedia, someone claiming to be a member of Pegglecrew wrote:
“In short, a network service with no authentication was exposed to the internet... We were able to grab data from this network service to obtain source code and passwords that led us further into the infrastructure of FOSSHub and eventually gain control of their production machines, backup and mirror locations, and FTP credentials for the caching service they use, as well as the Google Apps-hosted email.”
FossHub’s tagline includes the promises, “No adware, no spyware, no bundles, no malware,” which was proven largely untrue by the hacking group. Audacity wrote in a blog post that the compromised download was up for approximately three hours, and has since been resolved, though the same alleged Pegglecrew member claims that, “after word got out and the admins reverted the changes, we replaced all installer executables on [Fosshub’s] servers with the MBR-overwriting code directly.”