Red Canary researchers have reported a fake KMSPico installer circulating on the Internet. It is altered to infect Windows computers and is capable of malicious activities such as cryptocurrency wallet theft and others.
Modifying high-demand software and passing it off as legitimate is a preferred method of distributing malware. This is what is happening with KMSPico, a popular Microsoft Windows and Office product activator (cracker) that emulates a Windows Key Management Services (KMS) server to fraudulently activate licenses.
We already knew that KMSPico is widely used by consumers to hack Microsoft’s flagship software, but according to Red Canary, its use by businesses and many IT departments is also greater than one might expect : “We have observed that several IT departments use KMSPico instead of legitimate licenses.”
The software is commonly distributed through pirate sites, crack sites or torrent networks, and modified development arrives in the same way. The malicious detected by the security firm is delivered in a self-extracting 7-Zip executable that includes and installs the actual KMS emulator so that the victim does not suspect.
But behind the scenes, the real intention is to install Cryptobot, included in the group of Trojans specialized in stealing credentials saved in browsers and other information from attacked computers, capable of collecting confidential data from applications used by millions of users, from Chrome to Firefox, and all major cryptocurrency wallets.
The malware is wrapped by the CypherIT wrapper that obfuscates the installer to prevent detection by security software. Subsequently, this installer launches a script that is also hidden, capable of detecting sandbox environments and AV emulation. Furthermore, Cryptobot checks for the presence of “%APPDATA%\Ramson” and runs its automatic removal routine.
Because Cryptbot’s operations do not rely on the existence of unencrypted binaries on disk, detection is only possible by monitoring malicious behavior such as execution of PowerShell commands or external network communication. Hence, it is not easy to detect.
Be careful with this KSMPico… The supposed “savings” of Windows or Office licenses can be quite expensive.