KMSPico’s malicious installers steal your cryptocurrency wallets
Threat actors distribute KMSpico installers modified to infect Windows devices with malware that steals cryptocurrency wallets.
This activity was spotted by researchers at Red Canary, who warn that pirating software to save on license costs is not worth the risk.
KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services (KMS) server to activate licenses fraudulently.
According to Red Canary, many IT departments using KMSPico instead of legitimate Microsoft software licenses are much larger than expected.
“We observed that several IT departments were using KMSPico instead of legitimate Microsoft licenses to activate systems,” said Tony Lambert, intelligence analyst at Red Canary.
“In fact, we even experienced a commitment to respond to an unfortunate incident where our IR partner was unable to remediate an environment due to the lack of a single valid Windows license in the environment.
Activators of contaminated products
KMSPico is commonly distributed through pirated software and crack sites that wrap the tool in installers that contain adware and malware.
As you can see below, there are many sites created to distribute KMSPico, all claiming to be the official site.
A malicious KMSPico installer scanned by RedCanary comes as a self-extracting executable like 7-Zip and contains both a KMS server emulator and a Cryptbot.
“The user is infected by clicking on one of the malicious links and downloads either KMSPico, Cryptbot, or other malware without KMSPico,” says a technical analysis of the campaign,
“Opponents are also installing KMSPico, because that’s what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.”
The malware is enveloped by the CypherIT packer which hides the installer to prevent it from being detected by security software. This installer then launches an also heavily obfuscated script capable of detecting sandboxes and AV emulation, so it will not run when run on Finder’s devices.
Additionally, Cryptobot checks for the presence of “% APPDATA% Ramson” and performs its self-removal routine if the folder exists to prevent re-infection.
The injection of Cryptbot bytes into memory is done through the process hollowing method, while the operational functionality of the malware overlaps with previous research results.
In summary, Cryptbot is able to collect sensitive data from the following applications:
- Atomic Cryptocurrency Wallet
- Avast Secure Web Browser
- Courageous Navigator
- Ledger Live cryptocurrency wallet
- Opera web browser
- Waves Client and Exchange cryptocurrency applications
- Coinomi cryptocurrency wallet
- Google Chrome web browser
- Jaxx Liberty Cryptocurrency Wallet
- Electron Cash Cryptocurrency Wallet
- Electrum Cryptocurrency Wallet
- Exodus cryptocurrency wallet
- Monero cryptocurrency wallet
- MultiBitHD Cryptocurrency Wallet
- Mozilla Firefox web browser
- CCleaner web browser
- Vivaldi web browser
Since Cryptbot does not rely on the existence of unencrypted binaries on disk to function, its detection is only possible by monitoring malicious behavior such as running PowerShell commands or external network communication.
Red Canary shares the following four key points for threat detection:
- binaries that contain AutoIT metadata but do not have “AutoIT” in their filenames
- AutoIT Process Establishing External Network Connections
- findstr commands similar to findstr / V / R “^… $
- PowerShell or cmd.exe commands containing rd / s / q, timeout and del / f / q together
In summary, if you thought KSMPico was a smart way to save on unnecessary licensing costs, the above illustrates why it’s a bad idea.
The reality is that the loss of revenue from incident response, ransomware attacks, and cryptocurrency theft resulting from the installation of pirated software could be greater than the cost of actual Windows and Office licenses.