- Aug 17, 2014
- 11,333
Threat actors are distributing altered KMSpico installers to infect Windows devices with malware that steals cryptocurrency wallets.
This activity has been spotted by researchers at Red Canary, who warn that pirating software to save on licensing costs isn't worth the risk.
KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services (KMS) server to activate licenses fraudulently.
According to Red Canary, many IT departments using KMSPico instead of legitimate Microsoft software licenses are much bigger than one would expect.
"We've observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems," explained Red Canary intelligence analyst Tony Lambert. "In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment."
A malicious KMSPico installer analyzed by RedCanary comes in a self-extracting executable like 7-Zip and contains both an actual KMS server emulator and Cryptbot.
"The user becomes infected by clicking one of the malicious links and downloads either KMSPico, Cryptbot, or another malware without KMSPico," explains a technical analysis of the campaign, "The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes."
Malicious KMSPico installers steal your cryptocurrency wallets
Threat actors are distributing altered KMSpico installers to infect Windows devices with malware that steals cryptocurrency wallets.
www.bleepingcomputer.com