Microsoft offers 50% subscription discounts to Office pirates
Russian hacking group uses new stealthy Ceeloader malware
France warns of Nobelium cyberspies attacking French orgs
Microsoft seizes sites used by APT15 Chinese state hackers
Microsoft seizes sites used by APT15 Chinese state hackers
Eurostar tests facial recognition system on London train station
France warns of Nobelium cyberspies attacking French orgs
Hundreds of SPAR stores shut down, switch to cash after cyberattack
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Cryptocurrency theft
Threat actors are distributing altered KMSpico installers to infect Windows devices with malware that steals cryptocurrency wallets.
This activity has been spotted by researchers at Red Canary, who warn that pirating software to save on licensing costs isn’t worth the risk.
KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services (KMS) server to activate licenses fraudulently.
According to Red Canary, many IT departments using KMSPico instead of legitimate Microsoft software licenses are much bigger than one would expect.
“We’ve observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems,” explained Red Canary intelligence analyst Tony Lambert. 
“In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment.”
KMSPico is commonly distributed through pirated software and cracks sites that wrap the tool in installers containing adware and malware.
As you can see below, there are numerous sites created to distribute KMSPico, all claiming to be the official site.
A malicious KMSPico installer analyzed by RedCanary comes in a self-extracting executable like 7-Zip and contains both an actual KMS server emulator and Cryptbot.
“The user becomes infected by clicking one of the malicious links and downloads either KMSPico, Cryptbot, or another malware without KMSPico,” explains a technical analysis of the campaign,
“The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.”
The malware is wrapped by the CypherIT packer that obfuscates the installer to prevent it from being detected by security software. This installer then launches a script that is also heavily obfuscated, which is capable of detecting sandboxes and AV emulation, so it won’t execute when run on the researcher’s devices.
Moreover, Cryptobot checks for the presence of “%APPDATA%Ramson,” and executes its self-deletion routine if the folder exists to prevent re-infection.
The injection of the Cryptbot bytes into memory occurs through the process hollowing method, while the malware’s operational features overlap with previous research findings.
In summary, Cryptbot is capable of collecting sensitive data from the following apps:
Because Cryptbot’s operation doesn’t rely on the existence of unencrypted binaries on the disk, detecting it is only possible by monitoring for malicious behavior such as PowerShell command execution or external network communication.
Red Canary shares the following four key points for threat detection:
In summary, if you thought that KSMPico is a smart way to save on unnecessary licensing costs, the above illustrates why that’s a bad idea.
The reality is that the loss of revenue due to incident response, ransomware attacks, and cryptocurrency theft from installing pirated software could be more than the cost of the actual Windows and Office licenses.
Discord malware campaign targets crypto and NFT communities
Crypto investors lose $500,000 to Google Ads pushing fake wallets
Money launderers for Russian hacking groups arrested in Ukraine
MyKings botnet still active and making massive amounts of money
OpenSea NFT platform bugs let hackers steal crypto wallets
Well deserved! Someone who has money in crypto should have money to legally purchase their software.

Besides, it’s a red flag alone when an URI contains “official” or “get”. These are your average Joe keywords. I enjoyed the article though, these guys have better SEO than most newspapers. Being the 1st and 2nd result on Google itself requires effort.

Not lifting these criminals on a pedestal though.
Many STOP/Djvu installs came from KMSPico as well. Extremely dangerous software.
After backdoors, rootkits and trojans, crypto miners/steelers were a natural choice :p
I wonder if people with cryptocurrency can’t afford a license…
Not a member yet? Register Now
Microsoft reverses Windows 11’s annoying default browser setting changes
Convincing Microsoft phishing uses fake Office 365 spam alerts
To receive periodic updates and news from BleepingComputer, please use the form below.
Malwarebytes for Mac
Malwarebytes Anti-Malware
Farbar Recovery Scan Tool
Windows Repair (All In One)
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

These invisible characters could be hidden backdoors in your JS code

Microsoft urges Exchange admins to patch bug exploited in the wildMicrosoft November…

FBI warns of increased use of cryptocurrency ATMs, QR codes for fraud

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…

Western Digital warns customers to update their My Cloud devices

TellYouThePass ransomware revived in Linux, Windows Log4j attacksCredit card info of 1.8…

Police arrests ransomware affiliate behind high-profile attacks

New zero-day exploit for Log4j Java library is an enterprise nightmareALPHV BlackCat…