Individuals who attempt to activate Windows without a digital license or a product key are now being targeted via malware aimed to steal passwords and other information from bitcoin wallets.
The malware, called "CryptBot," is an information stealer capable of stealing browser credentials, cryptocurrency wallet credentials, browser cookies, credit card information, as well as screenshots from compromised PCs. The current attack uses malware posing as KMSPico and is delivered via pirated software.
KMSPico is an unauthorized utility used to illegally activate the full functionalities of pirated copies of software such as Microsoft Windows and the Office suite without a licensing key.
"The user becomes infected by clicking one of the malicious links and downloading either KMSPico, Cryptbot, or another malware without KMSPico," Red Canary researcher Tony Lambert said in a report published last week. "The adversaries install KMSPico also because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes."
According to the business, much of that private data is obtained via cryptocurrency-related software such as:
- Atomic cryptocurrency wallet
- Ledger Live cryptocurrency wallet
- Waves Client and Exchange cryptocurrency applications
- Coinomi cryptocurrency wallet
- Jaxx Liberty cryptocurrency wallet
- Electron Cash cryptocurrency wallet
- Electrum cryptocurrency wallet
- Exodus cryptocurrency wallet
- Monero cryptocurrency wallet
- MultiBitHD cryptocurrency wallet
According to the American cybersecurity firm, many Such IT departments have been discovered using unauthorized software instead of valid Microsoft licenses to activate systems, and the modified KMSpico installers are dispersed via several websites claiming to offer the "official" edition of the activator. This is far from the first instance cracked software has been used to spread malware.
In June 2021, Czech cybersecurity software company Avast revealed the "Crackonosh" campaign, which entailed distributing illicit copies of popular software to hack into and exploit infected devices to mine for cryptocurrency, allowing the attacker to make over $2 million of earnings.
