current position:Home>A malicious kmspico installer can steal your cryptocurrency wallet

A malicious kmspico installer can steal your cryptocurrency wallet

2022-02-02 11:51:40 mikes zhang

The attacker is distributing the changed KMSpico Erection sequence , Infected with malware that steals cryptocurrency wallets Windows equipment .

Red Canary Researchers found this activity , They warned , Pirated software to save licensing costs is not worth the risk .

KMSPico It's a popular Microsoft Windows and Office Product activator , It simulates Windows Key management service (KMS) The server activated the license fraudulently .

according to Red Canary That's what I'm saying , Many uses KMSPico Not legal Microsoft Of software license IT The Department is much larger than people expected .

“ We observed multiple IT Department use KMSPico Not legal Microsoft License to activate the system ,”Red Canary Intelligence analysts Tony Lambert explains .

“ in fact , We even experienced an unfortunate incident in response to , our IR Partners cannot repair an environment , Because the organization does not have an effective Windows license .”

Contaminated product activator
KMSPico Usually distributed through pirated software and cracking sites , These sites package tools in installers that contain adware and malware .

As you can see below , Many distributions have been created KMSPico The site of , All sites claim to be official sites .

RedCanary Analysis of malicious KMSPico The installer comes with a self extracting executable , Such as 7-Zip, And include the actual KMS Server emulator and Cryptbot.

“ The user clicks one of the malicious links and downloads KMSPico、Cryptbot Or something else that doesn't KMSPico Infected by malware ,” The technical analysis of the activity explains ,

“ The opponent also installed KMSPico, Because this is what the victim expected to happen , While deploying behind the scenes Cryptbot.”

The malware was created by CypherIT pack Procedure for packaging , This program will confuse the installer to prevent it from being detected by the security software . then , This installer will launch a script that has also been seriously confused , The script can detect sandbox and AV Simulation , Therefore, running on the researcher's device will not perform .
 Insert picture description here
Besides ,Cryptobot Will check the “%APPDATA%\Ramson” Whether there is , If the folder exists , Then execute its self deletion program to prevent re infection .

take Cryptbot Byte injection into memory occurs through the process hollowing method , The operational characteristics of malware overlap with previous research results .

All in all ,Cryptbot Ability to collect sensitive data from the following applications :

Atomic cryptocurrency wallet
Avast Secure Web browser
Brave browser
Ledger Live Money wallet encrypted
Opera Web browser
Waves Client and Exchange Cryptocurrency application
Coinomi Money wallet encrypted
Google Chrome Web browser
Jaxx Liberty Money wallet encrypted
E-cash cryptocurrency wallet
Electrum Money wallet encrypted
Exodus Money wallet encrypted
Monroe Coin Wallet
MultiBitHD Money wallet encrypted
Mozilla Firefox Web browser
CCleaner Web browser
Vivaldi web browser
because Cryptbot The operation of does not depend on whether there are unencrypted binary files on the disk , So only through surveillance PowerShell To detect malicious behaviors such as command execution or external network communication .

Red Canary Shared the following four key points of threat detection :

contain AutoIT Metadata, but not in the file name “AutoIT” Binary file
AutoIT The process establishes an external network connection
findstr The order is similar to findstr /V /R “^ … $
contain rd /s /q、timeout and del /f /q Of PowerShell or cmd.exe command
To make a long story short , If you think KSMPico Is a sensible way to save unnecessary licensing costs , So the above explains why It's a bad idea .

The reality is that , Due to the event response 、 The revenue loss caused by blackmail software attack and cryptocurrency theft caused by installing pirated software may exceed the actual amount Windows and Office The cost of the license .

copyright notice
author[mikes zhang],Please bring the original link to reprint, thank you.

Random recommended