Digital piracy can be a rough lifestyle choice, due in large part to the disreputable sources for cracked software and the exploits used to activate paid features. We’ve seen lots of systems fall victim to malware infection because users installed cracked software and assumed it was just cracked software. In one recent case, we detected a system infected by Cryptbot malware designed to steal credentials and traced that infection back to a fake KMSPico installer. This article outlines what KMSPico is and how it relates to Cryptbot. We included the malware analysis of KMSPico in a seperate PDF to supplement the information outlined here.
What is KMSPico?
KMSPico is a tool used to activate the full features of Microsoft Windows and Office products without actually owning a license key. It takes advantage of Windows Key Management Services (KMS), a legitimate technology introduced to license Microsoft products in bulk across enterprise networks. Under normal circumstances, enterprises using legitimate KMS licensing install a KMS server in a central location and use Group Policy Objects (GPO) to configure clients to communicate with it. KMSPico, on the other hand, emulates a KMS server locally on the affected system to fraudulently activate the endpoint’s license.
Even when KMSPico isn’t tainted with malware, it’s not legitimate software either. In the best cases when someone gets the real installer, it’s only used for license circumvention. Since multiple antimalware vendors detect license circumvention software as a potentially unwanted program (PUP), KMSPico is often distributed with disclaimers and instructions to disable antimalware products before installing. Alongside the difficulty in finding a clean download, the disabling instructions prepare unwitting victims to receive malware.
We’ve observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems. In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment. KMSPico and other non-official KMS activators circumvent Microsoft licenses and are a form of pirated software, posing a non-trivial risk to organizations. Legitimate activation on Windows is the only method supported by Microsoft.
Will the real KMSPico please stand up?
Cryptbot stealer, the stowaway
Cryptbot has a long history of deployment via various means from adversaries, and it harms organizations by stealing credentials and other sensitive information from affected systems. Lately, it has been deployed via fake “cracked” software, and in this case it’s particularly insidious by posing as KMSPico. The user becomes infected by clicking one of the malicious links and downloads either KMSPico, Cryptbot, or another malware without KMSPico. The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.
Cryptbot is capable of collecting sensitive information from the following applications:
Atomic cryptocurrency wallet
Avast Secure web browser
Ledger Live cryptocurrency wallet
Opera Web Browser
Waves Client and Exchange cryptocurrency applications
Coinomi cryptocurrency wallet
Google Chrome web browser
Jaxx Liberty cryptocurrency wallet
Electron Cash cryptocurrency wallet
Electrum cryptocurrency wallet
Exodus cryptocurrency wallet
Monero cryptocurrency wallet
MultiBitHD cryptocurrency wallet
Mozilla Firefox web browser
CCleaner web browser
Vivaldi web browser
Note: For an in-depth analysis of the malicious KMSPico installer, you can read our full malware analysis in this PDF.
Behavioral detection shores up signature-based detection
This distribution of Cryptbot continues a trend we’ve seen in recent threats, such as Yellow Cockatoo/Jupyter. Adversaries continue to use packers, crypters, and evasion methods to stymie signature-based tools such as antivirus and YARA rules. As these threats grow more complex with their obfuscation, they must exert an equal and opposite effort to remove that same obfuscation after delivery to run the malware. During this delivery and obfuscation process, behavior-based detection shines and helps close gaps on malicious activity that might otherwise get missed.
In this case, the adversary used the CypherIT AutoIT crypter to obfuscate Cryptbot, and no cleartext Cryptbot binaries existed on disk. Despite the obfuscation, we could still detect the threat by targeting behaviors that delivered and deobfuscated the malware. For this threat, the following detection strategies helped us.
Detection opportunity: CypherIT
Search for binaries containing AutoIT metadata but don’t have “AutoIT” in their file names
AutoIT processes making external network connections
findstr commands similar to findstr /V /R "^ … $
Detection opportunity: Cryptbot
PowerShell or cmd.exe commands containing rd /s /q, timeout, and del /f /q together
A pirate’s life is not the life for us, especially when it comes to cracked software. KMSPico is license-circumvention software that can be spoofed in a variety of ways, and in this case a malicious version led to an interesting Cryptbot infection designed to steal credentials. Save yourself the trouble and go for legitimate, supported activation methods.
All 2021 Threat Detection Report content is fully available through this website. If you prefer to download a PDF, just fill out this form and let us know what email to send it to.
Thanks for your interest!
Check your inbox, the 2021 Threat Detection Report is headed your way.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.