Red Canary researchers discovered malware hidden in the KMSpico, a well-known tool that activates the licenses of the pirated versions of Windows and Office. Cryptbot can collect a large number of sensitive data, including credentials to access various wallets cryptocurrencies. The authors used some techniques to avoid identification by antivirus software.

KMSpico hides Cryptbot

KMSpico is a tool that allows you to activate the full functionality of Windows and Office without having a license key. This is done through the emulation of Key Management Services from Microsoft, a technology used by companies to manage licenses using a dedicated KMS server. In the case of KMSpico, the server is emulated on the local device.

Red Canary researchers point out that the tool is usually identified as PUA (Potentially Unwanted Program) by antivirus, so there are instructions to disable the check before installation. However, there are many infected versions of KMSpico on the Internet, one of which contains Cryptbot.

The installer code is clouded, therefore not detectable by security solutions. No plaintext files are copied to the local disk (they are all encrypted). To discover its presence it is necessary to carry out specific searches with PowerShell or monitor network traffic to certain domains.

Cryptbot collects numerous sensitive data from the main browsers (Chrome, Firefox, Opera, Brave, Vivaldi) and from cryptocurrency wallet, including Atomic, Ledger Live, Electron Cash, Exodus, and Monero). Obviously the advice is not to install KMSpico or similar pirated tools. Among other things, you can buy the original licenses of Windows and Office at very low prices.