A new attack campaign deploying a stealer malware named Cryptbot Stealer has been identified by cybersecurity researchers. Details about the threatening operation were released in a blog by Red Canary. According to its findings, the Cryptbot Stealer was targeted at users who wished to obtain illegal cracked software products or those that aimed to circumvent the copyright licenses of legitimate products.
More specifically, the researchers noticed that the Cryptbot threat used fake KMSPico installers to infiltrate the computers of its victims. After being deployed successfully, Cryptbot can begin harvesting carious sensitive information from compromised devices. It can collect data from numerous Web browsers - Opera, Chrome, Firefox, Vivaldi, CCleaner Web browsers and Brave. At the same time, the attackers also can obtain the victim's data saved in numerous crypto-currency wallet applications, such as Atomic, Ledger Live, Coinomi, Electrum, Monero and many more.
The decision to use fake KMSPico installers is quite ingenious. The KMSPico tool is one of the most popular programs that people use to activate the paid features of most Microsoft products, such as Windows and Office. The application allows users to spoof the legitimate license needed to unlock the full versions of the chosen products without having to pay for them. As its name suggests, the tool exploits the legitimate Windows Key Management Services (KMS) that would normally be used by enterprises to install a legitimate KMS server and then use GPO (Group Policy Objects) for the client systems that would communicate with the server.
The Cryptbot Stealer campaign is another clear evidence that people who wish to obtain cracked software products face increased risks of suffering a malware infection.