Hackers are infecting Windows activators such as KMSPico with malware in order to steal cryptocurrency from wallets
Hackers are infecting Windows activators such as KMSPico with malware in order to steal cryptocurrency from wallets
Software piracy is not a new phenomenon; however, the proliferation of "activators" for Microsoft Windows and Microsoft Office has created an opportunity for malicious actors to prey on unsuspecting users who use such tools to their advantage. Instead of saving money on software licensing, their victims end up exposing their systems to sophisticated malware that is undetectable by commercial antivirus solutions and is capable of stealing sensitive information from their computers.
In the event that you're purchasing or constructing a new computer, it's likely that you'll be required to purchase a Windows license. Many people are unwilling to pay more than $100 for one, and as a result, they frequently resort to purchasing low-cost keys from black market websites or using one of several online "activators" to accomplish their goals. However, while the latter option is always a risk, it has historically not resulted in significant harm to the vast majority of users who have chosen to go down that path.
According to Red Canary security researchers, malicious actors recently modified one of these tools in order to spread malware capable of stealing cryptocurrency tokens from cryptocurrency wallets, which was discovered by the researchers. For the purposes of this article, the tool in question is KMSPico, which can be used to locally emulate a Key Management Services (KMS) server in order to activate Windows and Office product licenses.
Cryptbot malware
A malicious KMSPico installer included Cryptbot malware, which is capable of stealing credentials and other sensitive information from web browsers installed on your computer, according to the researchers. Additionally, it has an impact on a number of cryptocurrency wallets, including Ledger Live, Atomic, Electrum, Exodus, and Coinomi, among others. Moreover, it can be used to distribute banking malware such as Danabot or any other malicious payload to the general public.
In addition, it's important to note that the Cryptbot malware is difficult to detect, as its authors employ a variety of techniques to avoid detection by conventional antivirus solutions, including the use of encrypted binaries to conceal their activities. In either case, this demonstrates that, in the case of Windows and Office, piracy is not worth the risk of being caught. When it comes to saving money on licensing, purchasing a computer with Windows already installed during a sale may be the most advantageous option.
The use of this tool, according to Red Canary intelligence analyst Tony Lambert, is not restricted to ordinary home consumers. Small businesses across the country are attempting to save money on licensing by utilizing pirated copies of Windows and Office that have been activated through KMSPico. However, doing so poses significant security risks to their information technology infrastructure. For example, Lambert notes that the company "had one ill-fated incident response engagement in which our IR partner was unable to remediate one environment because the organization did not possess even a single valid Windows license."
