Malicious KMSpico installers are being distributed by threat actors to infect Windows devices with malware that steals bitcoin wallets.
Researchers at Red Canary have seen this behavior and advise that pirating software to save money on licensing prices isn’t worth the danger.
KMSPico is a widely used Microsoft Windows and Office product activator that imitates a Windows Key Management Services (KMS) server in order to fraudulently activate licenses.
KMSPico is widely disseminated via pirated software and cracking sites, which bundle the tool with adware and malware in installers.
As you can see in the screenshot below, there are a slew of sites claiming to be the official site for KMSPico distribution.
The majority of KMSPico search results return sites that pretend to be official.
The majority of Google Search results are websites claiming to be official.
A malicious KMSPico installer analyzed by RedCanary comes in a self-extracting executable like 7-Zip and contains both an actual KMS server emulator and Cryptbot.
The malware is wrapped in the CypherIT packer, which obfuscates the installer and makes it difficult for security tools to detect. This installer then runs a strongly obfuscated script capable of identifying sandboxes and AV emulation, preventing it from executing on the researcher’s devices.
Furthermore, Cryptobot checks for the presence of ” percent APPDATA percent Ramson,” and if the folder exists, it executes its self-deletion process to prevent re-infection.
The Crypt Bot bytes are injected into memory via the process hollowing approach, and the malware’s operational aspects are similar to those found in earlier studies.