Hackers use infected Windows activators to steal from crypto wallets

Hackers are imitating popular pirating tool KMSPico to spread malware, which could steal data from various crypto wallets. The attack is particularly dangerous because using KMSPico often requires people to disable antimalware software.

According to a report by Red Canary from December 2, 2021, fake versions of KMSPico have been utilized to get malware onto PCs. If someone allows their system to be compromised by fake software, the Cryptbot malware can steal credentials.

KMSPico is a tool used to circumvent license fees for Windows and Office. It uses Windows Key Management Services – a tool frequently used for legitimate reasons by enterprise clients – to fraudulently activate the software.

One of the malicious KMSPico installers analyzed by researchers comes packed with Cryptbot malware that can steal credentials and other sensitive information from web browsers installed on your PC. It also affects various cryptocurrency wallets such as Ledger Live, Atomic, Electrum, Exodus, Coinomi, and more. Moreover, it can be used to drop banking malware such as Danabot or any other malicious payload.

Because KMSPico is used to pirate software, many antimalware tools flag it as a potentially unwanted program (PUP). Because of this, pirates will often disable security features to use KMSPico. This makes a fake version of the software is especially dangerous, as PC owners may have voluntarily left themselves defenseless.

Red Canary intelligence analyst Tony Lambert says it’s not just regular home users that use this tool. Many small businesses try to save on licensing costs by using pirated copies of Windows and Office activated using KMSPico, introducing numerous security risks for their IT infrastructure. Lambert notes the firm even “experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment.”

The American cybersecurity firm said it also observed several IT departments using the illegitimate software instead of valid Microsoft licenses to activate systems, adding the altered KMSpico installers are distributed via a number of websites that claim to be offering the “official” version of the activator.

Cryptbot can collect sensitive information from the following applications:

• Atomic cryptocurrency wallet
• Avast Secure web browser
• Brave browser
• Ledger Live cryptocurrency wallet
• Opera Web Browser
• Waves Client and Exchange cryptocurrency applications
• Coinomi cryptocurrency wallet
• Google Chrome web browser
• Jaxx Liberty cryptocurrency wallet
• Electron Cash cryptocurrency wallet
• Electrum cryptocurrency wallet
• Exodus cryptocurrency wallet
• Monero cryptocurrency wallet
• MultiBitHD cryptocurrency wallet
• Mozilla Firefox web browser
• CCleaner web browser
• Vivaldi web browser

This is far from the first time cracked software has emerged as a conduit for deploying malware. For example, in June 2021, Czech cybersecurity software company Avast disclosed a campaign dubbed “Crackonosh” that involved distributing illegal copies of popular software to break into and abuse the compromised machines to mine cryptocurrency, netting the attacker over $2 million in profits.