Digital piracy can be a rough lifestyle choice, due in large part to the disreputable sources for cracked software and the exploits used to activate paid features. We’ve seen lots of systems fall victim to malware infection because users installed cracked software and assumed it was just cracked software. In one recent case, we detected a system infected by Cryptbot malware designed to steal credentials and traced that infection back to a fake KMSPico installer. This article outlines what KMSPico is and how it relates to Cryptbot. We included the malware analysis of KMSPico in a seperate PDF to supplement the information outlined here.
What is KMSPico?
KMSPico is a tool used to activate the full features of Microsoft Windows and Office products without actually owning a license key. It takes advantage of Windows Key Management Services (KMS), a legitimate technology introduced to license Microsoft products in bulk across enterprise networks. Under normal circumstances, enterprises using legitimate KMS licensing install a KMS server in a central location and use Group Policy Objects (GPO) to configure clients to communicate with it. KMSPico, on the other hand, emulates a KMS server locally on the affected system to fraudulently activate the endpoint’s license.
Even when KMSPico isn’t tainted with malware, it’s not legitimate software either. In the best cases when someone gets the real installer, it’s only used for license circumvention. Since multiple antimalware vendors detect license circumvention software as a potentially unwanted program (PUP), KMSPico is often distributed with disclaimers and instructions to disable antimalware products before installing. Alongside the difficulty in finding a clean download, the disabling instructions prepare unwitting victims to receive malware.
We’ve observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems. In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment. KMSPico and other non-official KMS activators circumvent Microsoft licenses and are a form of pirated software, posing a non-trivial risk to organizations. Legitimate activation on Windows is the only method supported by Microsoft.
Cryptbot stealer, the stowaway
Cryptbot has a long history of deployment via various means from adversaries, and it harms organizations by stealing credentials and other sensitive information from affected systems. Lately, it has been deployed via fake “cracked” software, and in this case it’s particularly insidious by posing as KMSPico. The user becomes infected by clicking one of the malicious links and downloads either KMSPico, Cryptbot, or another malware without KMSPico. The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.
Cryptbot is capable of collecting sensitive information from the following applications:
- Atomic cryptocurrency wallet
- Avast Secure web browser
- Brave browser
- Ledger Live cryptocurrency wallet
- Opera Web Browser
- Waves Client and Exchange cryptocurrency applications
- Coinomi cryptocurrency wallet
- Google Chrome web browser
- Jaxx Liberty cryptocurrency wallet
- Electron Cash cryptocurrency wallet
- Electrum cryptocurrency wallet
- Exodus cryptocurrency wallet
- Monero cryptocurrency wallet
- MultiBitHD cryptocurrency wallet
- Mozilla Firefox web browser
- CCleaner web browser
- Vivaldi web browser
This post has been read 31 times!