Hackers found infecting ‘free’ Windows activators like KMSPico to steal from cryptocurrency wallets

Spread the love

Why it matters: Software piracy isn’t new, but with the proliferation of “activators” for Windows and Office, you also have malicious actors scrambling to take advantage of unsuspecting users who utilize such tools. Their victims do this believing they save on software licensing costs, but at the same time, they expose their systems to sophisticated malware that evades detection by commercial antivirus solutions and can steal sensitive information.

Hackers found infecting Windows activators like KMSPico to steal from cryptocurrency wallets

If you’re purchasing or building a new PC, chances are you’ll need to buy a Windows license for it. Many people aren’t willing to part with more than $100 to get one, so they often resort to purchasing cheap keys from grey market websites or using one of several “activators” available online. The latter option is always a risky move, but historically it hasn’t caused any major damage to most users who went down that route.

How Hackers have been found infecting Windows activators like KMSPico

According to security researchers at Red Canary, malicious actors have recently modified one of these tools to distribute malware that can steal tokens from cryptocurrency wallets. The tool in question is KMSPico, which can emulate a Key Management Services (KMS) server locally to activate licenses for Windows and Office products.

One of the malicious KMSPico installers analyzed by researchers comes packed with Cryptbot malware that can steal credentials and other sensitive information from web browsers installed on your PC. It also affects various cryptocurrency wallets such as Ledger Live, Atomic, Electrum, Exodus, Coinomi, and more. More importantly, it can be used to drop banking malware such as Danabot or any other malicious payload.

It’s also worth noting the Cryptbot malware is difficult to detect, as its creators use various methods to escape detection by traditional antivirus solutions, including encrypted binaries. Either way, this proves that going the piracy route in the case of Windows and Office isn’t worth it if you consider the risks involved. If anything, buying a PC that comes with Windows pre-installed when it’s on sale might be the best way to save money on the licensing front.

Hackers found infecting Windows activators like KMSPico to steal from cryptocurrency wallets

What to do now that hackers have been found infecting Windows activators like KMSPico?

Red Canary intelligence analyst Tony Lambert says it’s not just regular home users that use this tool. Many small businesses try to save on licensing costs by using pirated copies of Windows and Office activated using KMSPico, which introduces a lot of security risks for their IT infrastructure. Lambert notes the firm even “experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment.”

Red Canary suggests that PC owners activate software through legitimate means. “A pirate’s life is not the life for us, especially when it comes to cracked software. KMSPico is license-circumvention software that can be spoofed in a variety of ways, and in this case a malicious version led to an interesting Cryptbot infection designed to steal credentials.” The report concludes by saying, “save yourself the trouble and go for legitimate, supported activation methods.”