A new BitRAT malware distribution campaign is ongoing, targeting people who want to utilise unauthorised Microsoft licence activators to activate unlicensed Windows OS versions for free.
BitRAT is a strong remote access trojan that can be purchased for as little as $20 (lifetime access) on cybercrime forums and dark web markets. As a result, each buyer has their own malware dissemination strategy, which may include phishing, watering holes, or trojanized software. Threat actors are delivering BitRAT malware as a Windows 10 Pro licence activator on webhards in a new BitRAT malware distribution campaign identified by AhnLab researchers.
Webhards are popular online storage services in South Korea that receive a steady stream of visitors via direct download links posted on social media platforms or Discord. Threat actors are increasingly exploiting webhards to deliver malware due to their widespread use in the region.
Based on some of the Korean characters in the code snippets and how it was distributed, the actor behind the current BitRAT campaign appears to be Korean.
To use Windows 10, one must first purchase and activate a Microsoft licence.
While there are ways to get Windows 10 for free, one must have a valid Windows 7 licence to do so.
Those who don't want to deal with licencing concerns or who don't have a licence to upgrade frequently resort to pirating Windows 10 and using unapproved activators, many of which are infected with malware.'W10DigitalActiviation.exe' is the malicious file presented as a Windows 10 activator in this campaign, and it has a simple GUI with a button to "Activate Windows 10."
Rather than activating the Windows licence on the host system, the "activator" will download malware from a threat actors' hardcoded command and control server.
The retrieved payload is BitRAT, which is installed as 'Software Reporter Tool.exe' in the %TEMP% folder and added to the Startup folder. Exclusions for Windows Defender are also included by the downloader to guarantee that BitRAT is not detected. The downloader deletes itself from the system after the malware installation process is completed, leaving just BitRAT behind.
BitRAT is marketed as a powerful, low-cost, and versatile malware that can steal a variety of sensitive data from the host computer.BitRAT includes features such as keylogging, clipboard monitoring, camera access, audio recording, credential theft through web browsers, and XMRig coin mining.
It also includes a remote control for Windows PCs, hidden virtual network computing (hVNC), and SOCKS4 and SOCKS5 reverse proxy (UDP). On that front, ASEC's investigators discovered considerable code similarities between TinyNuke and its derivative, AveMaria,(Warzone). The RATs' hidden desktop capability is so valuable that some hacking groups, such as the Kimsuky, have included them in their arsenal only to use the hVNC tool.
