Cryptbot hides in KMSPico

Cyber security warns all pirated software enthusiasts to beware the infection of Cryptbot. They detected an incident where this infostealer was dropped by a fake KMSPico installer. Hackers have applied different means to distribute the malware. Recently specialists observed its deployment via “cracked” software and in particular threat actors disguised it as KMSPico.

Along with this many organizations use illegitimate KMSPico

Many use KMSPico in order to activate the full features of Microsoft Windows and Office products without an actual license key. Normally an organization would use legitimate KMS licensing to install a KMS server in a central location. After this they use Group Policy Objects (GPO) to configure clients to communicate with it. This is a legitimate technology of licensing Microsoft products across enterprise networks. Along with this many organizations use illegitimate KMSPico that basically emulates a KMS server locally on the affected system to activate the endpoint’s license. Such actions just circumvent it.

Cryptbot hides in KMSPico
Who can say where the real KMSPico is?

The problem here and as with all pirated software is that someone might look for the actual KMSPico but instead will download some kind of malware. Numerous anti malware vendors detect license circumvention software as a potentially unwanted program (short PUP). That’s why KMSPico is often distributed with instructions and disclaimers to deactivate anti malware products before installing. Not only in such a case does the user leave themselves open to anything suspicious but the found download can also be a surprise. Microsoft supports only legitimate activation on Windows.

Despite the prolific obfuscation specialists could still detect the malware

In the Cryptbot distribution malware specialists observe similar tendencies to those of Yellow Cockatoo/Jupyter. Yellow Cockatoo is a collection of activity that entails the execution of a .NET remote access trojan (RAT) which runs in memory and drops other payloads. And Jupyter is an infostealer that primarily targets Chrome, Firefox and Chromium browser data. Threat actors use crypters, packers and evasion methods to obstruct signature-based tools such as YARA rules and antivirus. In the case of Cryptbot threat actors used the CypherIT AutoIT crypter to obfuscate it. But cyber security specialists say that despite the prolific obfuscation they could still detect the malware by targeting behaviors that delivered and deobfuscated the malware.

Also the specialist warn that the Cryptbot malware collects the confidential information from the following applications:

  • Vivaldi web browser;
  • CCleaner web browser;
  • Mozilla Firefox web browser;
  • MultiBitHD cryptocurrency wallet;
  • Monero cryptocurrency wallet;
  • Exodus cryptocurrency wallet;
  • Electrum cryptocurrency wallet;
  • Electron Cash cryptocurrency wallet;
  • Jaxx Liberty cryptocurrency wallet;
  • Google Chrome web browser;
  • Coinomi cryptocurrency wallet;
  • Waves Client and Exchange cryptocurrency applications;
  • Opera Web Browser;
  • Ledger Live cryptocurrency wallet;
  • Brave browser;
  • Avast Secure web browser;
  • Atomic cryptocurrency wallet.
  • Andrew Nail

    Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

    Leave a Reply

    Back to top button