Threat operators have been identified distributing modified KMSPico installers in order to infect Windows devices with malicious software capable of stealing cryptocurrency wallets.

KMSPico is a well-known product activator for Microsoft solutions such as Office and Windows, and it can emulate Windows Key Management Services (KMS) servers and fraudulently activate licences.

Researchers from the cybersecurity operation Red Canary spotted the activity and are now warning KMSPico installer users that employing pirate software to cut licensing costs is not worth the associated risks.

Fraudulent activity uncovered

According to researcher at Red Canary, the IT departments utilising KMSPico installers instead of authentic Microsoft software licences are not always as small as expected. Intelligence analyst for the cybersecurity firm, Tony Lambert, commented in a statement that:

“We’ve observed several IT departments using KMSPico instead of legitimate Microsoft licences to activate systems. In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organisation not having a single valid Windows license in the environment.”

KMSPico is often distributed via pirate software and efficiently cracks sites that typically wrap the tool within installers that contain malware or adware. A modified KMSPico installer analysed by Red Canary used a self-extracting executable (7-Zip) and contained both a Cryptbot malware and a KMS server emulator.

The research report explained how the payload is delivered:

“The user becomes infected by clicking one of the malicious links and downloads either KMSPico, Cryptbot, or another malware without KMSPico. The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.”

This is a common technique used by a wide range of cybercriminals, where the expected software is deployed to avoid users becoming suspicious while the malicious payload is unleashed.

Additionally, the harmful malware is cleverly wrapped in a CypherIT packer to obfuscate the installer and stop a device’s security software from detecting it. The installer next launches a malicious script that is also hidden and has the capacity to detect anti-virus emulation and sandboxes, so it doesn’t ever run on a cybersecurity researcher’s simulated system or device.

Stealing data from multiple apps

As Cryptbot’s operation does not depend on the unencrypted binaries being present on the disk, detection is only possible by careful monitoring for malicious behaviour like external network communication and PowerShell command execution.

The malicious software has the capability to gather a wealth of confidential data from numerous applications. Cryptocurrency wallet apps identified by Red Canary researchers so far include Atomic, Ledger Live, Coinomi, Electron Cash, Waves Client and Exchange, Jaxx Liberty, Electrum, Exodus, Monero and MultiBitHD.

The following web browser apps have also been identified as being at risk: Google Chrome, Brave, Avast Secure, Opera, Mozilla Firefox, CCleaner and Vivaldi.

Red Canary has stressed that the potential revenue loss from ransomware attacks, incident response and mitigation along with cryptocurrency theft due to installing pirated software can ultimately, be far more costly than paying for official software product licences.

Help protect your data securely with Galaxkey’s commercial secure document encryption, which you can trial for free for 14 days.