Cyber security warns all pirated software enthusiasts to beware the infection of Cryptbot. They detected an incident where this infostealer was dropped by a fake KMSPico installer. Hackers have applied different means to distribute the malware. Recently specialists observed its deployment via “cracked” software and in particular threat actors disguised it as KMSPico.
Along with this many organizations use illegitimate KMSPico
Many use KMSPico in order to activate the full features of Microsoft Windows and Office products without an actual license key. Normally an organization would use legitimate KMS licensing to install a KMS server in a central location. After this they use Group Policy Objects (GPO) to configure clients to communicate with it. This is a legitimate technology of licensing Microsoft products across enterprise networks. Along with this many organizations use illegitimate KMSPico that basically emulates a KMS server locally on the affected system to activate the endpoint’s license. Such actions just circumvent it.
The problem here and as with all pirated software is that someone might look for the actual KMSPico but instead will download some kind of malware. Numerous anti malware vendors detect license circumvention software as a potentially unwanted program (short PUP). That’s why KMSPico is often distributed with instructions and disclaimers to deactivate anti malware products before installing. Not only in such a case does the user leave themselves open to anything suspicious but the found download can also be a surprise. Microsoft supports only legitimate activation on Windows.
Despite the prolific obfuscation specialists could still detect the malware
In the Cryptbot distribution malware specialists observe similar tendencies to those of Yellow Cockatoo/Jupyter. Yellow Cockatoo is a collection of activity that entails the execution of a .NET remote access trojan (RAT) which runs in memory and drops other payloads. And Jupyter is an infostealer that primarily targets Chrome, Firefox and Chromium browser data. Threat actors use crypters, packers and evasion methods to obstruct signature-based tools such as YARA rules and antivirus. In the case of Cryptbot threat actors used the CypherIT AutoIT crypter to obfuscate it. But cyber security specialists say that despite the prolific obfuscation they could still detect the malware by targeting behaviors that delivered and deobfuscated the malware.
Also the specialist warn that the Cryptbot malware collects the confidential information from the following applications:
