Malicious KMSPico installers steal your cryptocurrency wallets

xrobwx71

xrobwx71

Administrator
Staff member
Joined
Sep 27, 2019
Posts
2,819
Location
Panama City Beach, FL
Another very good reason NOT to pirate software.

Threat actors are distributing altered KMSpico installers to infect Windows devices with malware that steals cryptocurrency wallets.

This activity has been spotted by researchers at Red Canary, who warn that pirating software to save on licensing costs isn't worth the risk.

KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services (KMS) server to activate licenses fraudulently.

A malicious KMSPico installer analyzed by RedCanary comes in a self-extracting executable like 7-Zip and contains both an actual KMS server emulator and Cryptbot.

In summary, Cryptbot is capable of collecting sensitive data from the following apps:

  • Atomic cryptocurrency wallet
  • Avast Secure web browser
  • Brave browser
  • Ledger Live cryptocurrency wallet
  • Opera Web Browser
  • Waves Client and Exchange cryptocurrency applications
  • Coinomi cryptocurrency wallet
  • Google Chrome web browser
  • Jaxx Liberty cryptocurrency wallet
  • Electron Cash cryptocurrency wallet
  • Electrum cryptocurrency wallet
  • Exodus cryptocurrency wallet
  • Monero cryptocurrency wallet
  • MultiBitHD cryptocurrency wallet
  • Mozilla Firefox web browser
  • CCleaner web browser
  • Vivaldi web browser

SOURCE
 
Fortunately, since Microsoft have relaxed the restrictions on unlicensed copies of the newer versions of Windows, I rarely see any evidence of KMSpico installed now. It used to be much more abundant during the Windows 7 era.

Again, as you mentioned, it's another good reason why you should never install cracked software or use programs to bypass licensing activation.
 
While there may be occasional honor among thieves, there's never been any among cyber thieves.

Forewarned is forearmed. And this is a case of what I'd call just deserts.
 
This is in my eyes an already existing reason in a different jacket.

Known cracks, or any software for that matter, being altered by threat actors as a means to distribute malware has existed for many years, the difference is what the malware can do, stealing crypto wallets, which is new afaik but other than that it's nothing special.
 
xrobwx71 said:
ESET on Virustotal flags it as malicious.
Click to expand...

But does anything else? Nothing against ESET, but false positives are a fact of life. One of the reasons I use virustotal is to get a far more educated opinion as to whether something may, or may not, be a false positive (or negative).

If you run virustotal on something and only a handful of the 80-ish scanners come back as positive, it's almost certain to be a false positive.

It's not at all uncommon to have something throw a false positive on virustotal from one or two of the scanners.
 
britechguy said:
But does anything else?
Click to expand...
I don't know. I have Glasswire and one of the things it does is monitor installers and uploadS it automatically to Virustotal, then displays the VT info in a notification.

You are correct, it was 1/69 (ESET) that found it malicious. I should have been clearer. I wasn't trying to insinuate it was malicious but it does look like that.

I tried it for a few minutes and it looks to be Chrome with its own adblocker, its own "do not tell", Dashlane and a few other CCleaner branded extensions pre-installed.
 
Last edited:
Installers because of their functionality will often flag as malicious, presumably because it's sometimes fairly difficult with a scan to differentiate between an installer that's installing something legit, and one that is not.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top