A new BitRAT malware distribution campaign is underway, exploiting users who want to activate pirated versions of Windows operating systems for free using unofficial Microsoft license activators.
BitRAT is a powerful remote access trojan sold on cybercrime forums and dark web markets for as little as $20 (lifetime access) to any cybercriminal who wants it.
As such, each buyer takes their own approach to malware distribution, ranging from phishing, watering holes or trojan software.
Pirate attacks with malware
In a new BitRAT malware distribution campaign discovered by researchers at AhnLab, threat actors spread the malware as a Windows 10 Pro license activator on web hards.
Webhards are online storage services popular in South Korea that have a steady influx of visitors from direct download links posted on social media platforms or Discord. Due to their widespread use in the region, threat actors are now more likely to use web hards to distribute malware.
The actor behind the new BitRAT campaign appears to be Korean based on some of the Korean characters in the code snippets and the way of distribution.
Post promoting the BitRAT dropping Windows activator (ASEC)
To use Windows 10 properly, you need to purchase and activate a license from Microsoft. While there are ways to get Windows 10 for free, you still need a valid Windows 7 license to get the free upgrade.
Those who don’t want to deal with licensing issues or don’t have a license to upgrade often turn to piracy Windows 10 and use unofficial activators, many of which contain malware.
In this campaign, the malicious file promoted as a Windows 10 activator is called ‘W10DigitalActiviation.exe’ and has a simple GUI with a button to ‘Activate Windows 10’.
The malware downloader that masquerades as a Windows activator (ASEC)
However, instead of activating the Windows license on the host system, the “activator” downloads malware from a hard-coded command and control server managed by the threat actors.
The payload retrieved is BitRAT, installed in %TEMP% as ‘Software_Reporter_Tool.exe’ and added to the startup folder. The downloader also adds exclusions for Windows Defender to ensure that BitRAT does not experience detection issues.
Once the malware installation process is complete, the downloader removes itself from the system, leaving behind only BitRAT.
The downloader that gets the BitRAT payload (ASEC)
A versatile RAT
BitRAT is promoted as a powerful, cheap and versatile malware that can steal a wide range of valuable information from the host, perform DDoS attacks, UAC bypass, etc.
BitRAT supports generic keylogging, clipboard monitoring, webcam access, audio recording, web browser credentials theft, and XMRig coin mining functionality.
In addition, it provides remote control for Windows systems, hidden virtual network computing (hVNC) and reverse proxy via SOCKS4 and SOCKS5 (UDP). On that front, ASEC analysts have found strong code similarities with TinyNuke and its derivative, AveMaria (Warzone).
The hidden desktop feature on these RATs is so valuable that some hacking groups, like the Kimsuky, have included them in their arsenal to use the hVNC tool.
Risk of piracy
Even if the legal and ethical aspects are ignored, using pirated software is always a security risk.
The more tools used to activate illegally obtained copies of software or crack their intellectual property protection systems, the more likely they are to end up with a nasty malware infection.
Those who cannot afford to buy a Windows license should instead look to alternative options such as accepting the limitations of the free version, checking for special offers from reliable platforms, or using Linux .
Ultimately, users should not trust license activators and unsigned executables written and released by unknown vendors to run on your system.
This post BitRAT malware is now spreading as a Windows 10 license activator
was original published at “https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/”